MySQL Injection
- Blind-based SQL Injection
- Retrieve User Hash Insecure File Upload
- via Zip File
- Directory Traversal in Zip
- Bypass File Extension Blacklist
Type Juggling
- Loose Comparison
- Using exponents to compare integer with string
- Brute-force until a valid string is discovered where user-controlled exponent == ‘0’
Postgresql SQL Injection
- Stacked Queries
- Union-based
- Union + Boolean-based
- Time-based Postgresql Reverse Shell
- COPY TO
- UDF Reverse Shell (Windows + Linux)
- Postgres Large Objects
NodeJS Eval
- Bypass Regex Filter
- Bypass ‘/’ via Hex Encoding
Cookie Deserialization
- https://github.com/pwntester/ysoserial.net
Server-Side Template Injection
- MariaDB Multiline SQL Injection
- Union-based SQL Injection
- Retrieve Admin Password Reset
- Union + Collation (Same Encoding)
- Render Function SSTI
- Jinja Filter Evasion
- Subprocess Popen Remote Command Execution
XML External Entity + Insecure Password Randomization
- Predictable Randomization
- Using current time to generate password reset token
- Automating password reset
- Error-based XXE in API
- Access to Tomcat Manager
- Access to HSQLDB Manager
- Retrieve JDBC connection string with sensitive credentials
- HSQLDB
- Create remote Java function
- Leverage remote function to call Write function
- Execute RCE via JSP shell
Advanced XSS Exploitation
- Sitemap and Third Party Library Enumeration
- DOM-based Cross-site Scripting
- Writing to DOM and creating a fake landing page
- Database + APIs to steal authenticated access
- Scrape contents
- Websocket
- Running arbitrary commands
CSRF + CORS to RCE
- Unsafe CORS headers
- Bypassing SameSite Attribute
- Insecure Defaults
Server-Side Request Forgery
- Web Service Verb Tampering Enumeration
- Blind SSRF
- Port and Subnet Scanning via SSRF
- Exploiting Headless Chrome
Prototype Pollution
- Locate Prototype Pollution in Extend, Merge or Set
- Exploit AST Injection, or remote code execution via Templates