The following Links are curated from Below Sources.
| Name | URL |
|---|---|
| M507 | Github |
| Z-r0crypt OSWE/AWAE Preparation | Blog |
| AWAE - OSWE Preparation / Resources | Gitbook |
| HTB and Vulnhub: An OSWE Approach | Blog |
All efforts for the AWAE course and preparation for the Offensive Security Web Expert (OSWE) exam.
- https://popped.io/hijacking-sessions-using-socat/
- https://pentesterlab.com/exercises/xss_and_mysql_file/course
- https://www.acunetix.com/blog/articles/persistent-xss/
- https://portswigger.net/web-security/cross-site-scripting
-
XSS and MySQL
- https://www.exploit-db.com/docs/english/45074-file-upload-restrictions-bypass.pdf
- http://www.securityidiots.com/Web-Pentest/hacking-website-by-shell-uploading.html
- https://www.owasp.org/index.php/Unrestricted_File_Upload
- Popcorn machine from HackTheBox
- Vault machine from HackTheBox
- [Paper] File Upload Restrictions Bypass
- Shell the web - Methods of a Ninja
- Unrestricted File Upload
- Atlassian Crowd Pre-auth RCE
- Popcorn machine from HackTheBox
- Vault machine from HackTheBox
- Introduction to WebSockets
- [Video] Hacking with Websocket - BlackHat
- Remote Hardware takeover via Websocket Hijacking
- Cross-Site WebSocket Hijacking to full Session Compromise
- Introduction to Code Review [PentesterLab]
- Static code analysis writeups
- TrendMicro - Secure Coding Dojo
- Bug Hunting with Static Code Analysis [Video]
- Shopify Remote Code Execution - Hackerone
- Finding vulnerabilities in source code ( APS.NET)
- A deep dive into ASP.NET Deserialization
- Writeups by mr_me
- https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf
- https://medium.com/@Q2hpY2tlblB3bnk/php-type-juggling-c34a10630b10
- https://foxglovesecurity.com/2017/02/07/type-juggling-and-php-object-injection-and-sqli-oh-my/
- https://www.netsparker.com/blog/web-security/php-type-juggling-vulnerabilities/
- http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html
- https://www.netsparker.com/blog/web-security/type-juggling-authentication-bypass-cms-made-simple/
- https://www.php.net/manual/en/types.comparisons.php
- https://github.com/spaze/hashes
- https://www.whitehatsec.com/blog/magic-hashes/
- Falafel machine from HackTheBox
- OWASP - PHPMagicTricks TypeJuggling
- PHP Type Juggling - Introduction
- Type Juggling, PHP Object Injection, SQLi
- Writing Exploits For PHP Type Juggling
- Type Juggling Authentication Bypass Vulnerability in CMS Made Simple
- PHP Magic Hashes
- Detailed Explanation of PHP Type Juggling Vulnerabilities
- [Video] PHP Type Juggling Vulnerabilities, Netsparker
- [Video] Falafel machine from HackTheBox
- https://ckarande.gitbooks.io/owasp-nodegoat-tutorial/content/tutorial/a1_-_server_side_js_injection.html
- https://capacitorset.github.io/mathjs/
- Server Side JS Injection
- Remote Code Execution in math.js
- Arbitrary code execution in fast-redact
- NVIDIA GeForce Experience OS Command Injection - CVE-2019-5678
- SetTimeout and SetInterval use eval therefore are evil
- Pentesting Node.js Application : Nodejs Application Security
- NodeJS remote debugging with vscode
- Escape NodeJS Sandboxes
- https://maikthulhu.github.io/2019-05-17-remote-debugging-node-vscode/
- https://github.com/ajinabraham/Node.Js-Security-Course
- https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/
- https://www.yeahhub.com/nodejs-deserialization-attack-detailed-tutorial-2018/
- Celestial machine from HackTheBox
- RCE with SQL Injection - MSSQL
- SQL Injection to LFI to RCE - MySQL
- From SQLi to SHELL (I and II) - PentesterLab
- Pre-Auth Takeover of OXID eShops
- Blind SQL Injection
- [Paper] PostgreSQL Injection
- Having Fun With PostgreSQL
- Blind Postgresql Sql Injection Tutorial
- SQL Injection Cheat Sheet - PentestMonkey
- SQL Injection Cheat Sheet - PayloadAllTheThings
- Exploiting H2 SQL injection to RCE \
- https://pentesterlab.com/exercises/from_sqli_to_shell/course
- https://www.acunetix.com/websitesecurity/blind-sql-injection/
- http://pentestmonkey.net/cheat-sheet/sql-injection/postgres-sql-injection-cheat-sheet
- http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt
- https://www.exploit-db.com/papers/13084
- http://www.postgresqltutorial.com/postgresql-string-functions/
- https://www.linuxtopia.org/online_books/database_guides/Practical_PostgreSQL_database/c7547_002.htm
- https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf
- https://dotcppfile.wordpress.com/2014/07/12/blind-postgresql-sql-injection-tutorial/
- A Deep Dive into XXE Injection
- From XXE to RCE: Pwn2Win CTF 2018 Writeup
- Blind XXE to RCE
- Apache Flex BlazeDS XXE Vulnerabilty
- WebLogic EJBTaglibDescriptor XXE
- [Portswigger Research] Server Side Template Injection
- [Video] SSTI : RCE For The Modern Web App - albinowax
- Server Side Template Injection
- Jinja2 template injection filter bypasses
- Exploitation of Server Side Template Injection with Craft CMS plugin SEOmatic <=3.1.3
- Use of Deserialization in .NET Framework Methods and Classes. https://www.nccgroup.trust/globalassets/our-research/uk/images/whitepaper-new.pdf
- https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf
- Testing Password rest functionalities
- OWASP - Forgot Password Cheatsheet
- How we hacked multiple user accounts using weak reset tokens for passwords
- ATutor 2.2.1 Authentication Bypass
- ATutor LMS password_reminder TOCTOU Authentication Bypass
- ATutor 2.2.1 - Directory Traversal / Remote Code Execution
- Cubecart Admin Authentication Bypass
- Trendmicro smart protection bypass to RCE
- AtMail Email Server Appliance 6.4 - Persistent Cross-Site Scripting
- Chaining XSS, CSRF to achieve RCE
- Code analysis to gaining RCE
- Magento 2.3.1: Unauthenticated Stored XSS to RCE
- Mybb 18.20 From Stored XSS to RCE
All efforts for the AWAE course and preparation for the Offensive Security Web Expert (OSWE) exam.
Taken from publicly-available syllabus.
- 1. Introduction
- Videos
- Read/Notes
- 2. Tools & Methodologies
- Videos
- Read/Notes
- 2.1.5 Exercise - Web Inspection
- 2.2.1 Exercise - Python Requests
- 2.3.3 Exercise - Decompilation
- 3. Atmail Mail Server Appliance: from XSS to RCE
- Videos
- Read/Notes
- 3.3.1 Exercise - Vuln Discovery
- 3.4.1 Exercise - Session Hijack
- 3.5.4 Exercise - Session Riding
- 3.5.5 Extra Mile - Session Riding
- 3.6.5 Exercise - globalsaveAction Vuln Analysis
- 3.6.7 Exercise - Make it fully automagical
- 3.6.8 Extra Mile
- 3.6.8 Extra Mile - Also see if you can background it completely
- 4. ATutor Auth Bypass and RCE
- Videos
- Read/Notes
- 4.3.1 Exercise - Vuln Discovery
- 4.6.3 Exercise - Data Exfil
- 4.6.4 Extra Mile - Data Exfil
- 4.7.1 Exercise - ATutor Auth
- 4.7.2 Extra Mile - ATutor Auth
- 4.8.1 Exercise - ATutor Auth
- 4.8.2 Extra Mile - ATutor Auth
- 4.9.1 Exercise - File Upload
- 4.10.5 Exercise - RCE
- 4.10.6 Extra Mile - RCE
- 5. ATutor LMS Type Juggling Vuln
- Videos
- Read/Notes
- 5.4.1 Exercise - String Conversion
- 5.6.3 Exercise - Loose Comparison
- 5.6.4 Extra Mile - Loose Comparison
- 6. ManageEngine Applications Manager AMUserResourcesSyncServlet SQL Injection RCE
- Videos
- Read/Notes
- 6.3.6 Exercise - Vuln Discovery
- 6.5.1 Exercise - Blind Bats
- 6.6.1 Exercise - Access FS
- 6.6.3 Exercise - VBS file [!! Need to do the batch! Got the reverse shell... !!]
- 6.6.4 Extra Mile - Shell via JSP
- 6.7.4 Exercise - PostgreSQL Extensions
- 6.8.1 Exercise - UDF Reverse Shell
- 6.9.3 Exercise - Moar Shells
- 6.9.4 Extra Mile - Moar Shells
- 7. Bassmaster NodeJS Arbitrary JavaScript Injection Vulnerability
- Videos
- Read/Notes
- 7.6.1 Exercise - RevShell
- 7.6.2 Extra Mile - RevShell
- 8. DotNetNuke Deserialization RCE
- Videos
- Read/Notes
- 8.4.3 Exercise - Serialization Basics
- 8.4.5 Exercise - Serialization Basics
- 8.4.7 Exercise - Serialization Basics
- 8.5.3 Exercise - DNN Vuln Analysis
- 8.6.4 Exercise - Payload Options
- 8.6.7 Exercise - Payload Options
- 8.7.1 Exercise - Payload Options
- 8.8.1 Extra Mile - Y SO SERIAL? .NET
- 8.8.2 Extra Mile - Y SO SERIAL? Java
- 9. ERPNext Authentication Bypass and Server Side Template Injection
- Videos
- Read/Notes
- 9.1.1.1 Exercise - Configure Kali SMTPd server
- 9.1.2.1 Exercise - Configure remote debugging
- 9.1.3.1 Exercise - Configure MariaDB logging
- 9.2.3.2 Exercise - Find whitelisted functions
- 9.3.1.2 Exercises - SQLi
- 9.4.2.1 Exercises - Access the admin acct
- 9.5.2.1 Exercise - Find the SSTI
- 9.5.2.2 Extra Mile - Find another instance of SSTI
- 9.5.3.1 Exercise - Recreate the
__class__rendering - 9.5.3.2 Extra Mile - Alternative filter bypass
- 9.6.1.1 Exercises - Recreate the filter bypass and exploit and find other classes to own
- 9.6.2.1 Exercises - Recreate RCE and get shell
- 9.6.2.2 Extra Mile - Get output to display
- 10. openCRX Authentication Bypass and Remote Code Execution
- Videos
- Read/Notes
- 10.2.1.1 Exercise - Recreate the Rando and SecureRando
- 10.2.4.1 Exercise - Generate a token list
- 10.2.4.2 Extra Mile - Update token program to take start/stop
- 10.2.5.2 Exercises - Reset password
- 10.2.5.3 Extra Mile - Automate the attack chain
- 10.3.6.2 Exercises - Recreate the XXE attack
- 10.3.6.3 Extra Mile - Script to parse XXE results
- 10.3.8.1 Exercise - Implement the "wrapper" payload
- 10.3.9.2 Exercise - Connect to HSQLDB
- 10.4.1.1 Exercises - Write file and confirm
- 10.4.2.1 Exercise - Find dir with JSP files
- 10.4.3.1 Exercises - Get. That. Shell.
- 11. openITCOCKPITXSSandOSCommandInjection - Blackbox
- Videos
- Read/Notes
- 11.5.1 Exercise - Recreate the XSS
- 11.6.2.1 Exercises - DOM rewrite
- 11.6.2.2 Extra Mile - Prevent new page load
- 11.6.3.1 Exercises - Finish the script and initialize the DB
- 11.6.4.1 Exercises - Finish the API script and get a fake login page with the XSS
- 11.6.4.2 Extra Mile - Add cookie functionality
- 11.6.5.1 Exercises - Exploit the XSS
- 11.6.5.2 Extra Miles - Beef up dat XSS
- 11.6.6.1 Exercise - Dump the SQLite DB
- 11.7.4.1 Exercise - Fuzz and find cmds
- 11.7.5.1 Exercise - Test cmd injection
- 11.7.6.1 Exercise - Get a meterpreter shell
- 10.7.7 Extra Mile - Get RCE via administrator session
