OSWE-Prep

An OSWE Guide

WriteUps

https://stacktrac3.co/oswe-review-awae-course/

https://github.com/wetw0rk/AWAE-PREP]

https://github.com/timip/OSWE

https://forum.hackthebox.eu/discussion/2646/oswe-exam-review-2020-notes-gifts-inside

https://anchor.fm/dayzerosec/episodes/Offensive-Securitys-OSWEAWAE--Massive-Security-failures--and-a-handful-of-cool-attacks-e45m85

https://www.linkedin.com/pulse/lets-get-oswe-certificate-part-i-recon-istv%25C3%25A1n-b%25C3%25B6hm/

https://donavan.sg/blog/index.php/2020/03/14/the-awae-oswe-journey-a-review/

https://medium.com/@fasthm00/the-state-of-oswe-c68150210fe4

https://z-r0crypt.github.io/blog/2020/01/22/oswe/awae-preparation/

https://github.com/deletehead/awae_oswe_prep

https://github.com/M507/AWAE-Preparation

https://www.vesiluoma.com/offensive-security-web-expert-oswe-advanced-web-attacks-and-exploitation/

https://blog.bousalman.com/oswe-review/

https://www.youtube.com/playlist?list=PLwvifWoWyqwqkmJ3ieTG6uXUSuid95L33

https://hub.schellman.com/blog/oswe-review-and-exam-preparation-guide

https://medium.com/@it_band/how-i-passed-the-oswe-exam-3de88bdbad2c

https://www.reddit.com/r/OSWE/comments/bsods2/i_just_passed_the_oswe_exam_amaa_about_the_exam/

https://nethemba.com/are-you-preparing-for-oswe-or-oscp-certification/

https://kishanchoudhary.com/OSWE/Journey/OSWE.html

Remote Code Execution

https://shells.systems/

https://medium.com/@corneacristian/top-25-rce-bug-bounty-reports-bc9555cca7bc

https://github.com/shawnmckinney/remote-code-execution-sample

https://www.gosecure.net/blog/2019/07/03/java-remote-code-execution-potpourri/

https://labs.bishopfox.com/tech-blog/2015/08/coldfusion-bomb-a-chain-reaction-from-xss-to-rce

https://voidsec.com/tabletopia-from-xss-to-rce/

https://blog.ripstech.com/2019/magento-rce-via-xss/

https://medium.com/@knownsec404team/the-analysis-of-mybb-18-20-from-stored-xss-to-rce-7234d7cc0e72

https://sarthaksaini.com/2019/awae/xss-rce.html

https://s0md3v.github.io/xss-to-rce/

https://anotherhackerblog.com/exploiting-file-uploads-pt-2/

https://labs.bishopfox.com/advisories/openemr-5-0-16-remote-code-execution-cross-site-scripting

https://zero.lol/2019-05-13-xss-to-rce/

https://lwierzbicki.github.io/2020/06/10/from-file-upload-to-rce.html

https://www.corben.io/atlassian-crowd-rce/

https://rebraws.github.io/ATutor/

https://github.com/fuzzlove/ATutor-2.2.4-Language-Exploit

https://underdefense.com/n-day-exploit-development-and-upgrade-to-rce/

https://www.rcesecurity.com/2017/08/from-lfi-to-rce-via-php-sessions/

https://www.exploit-db.com/exploits/39534

https://www.exploit-db.com/exploits/39524

https://ssd-disclosure.com/ssd-advisory-auth-bypass-and-rce-in-infinite-wp-admin-panel/

https://github.com/kacperszurek/exploits/blob/master/GitList/gitlist_unauthenticated_rce.py

https://medium.com/cisco-amp-technology/remote-code-execution-for-java-developers-84adb8e23652

https://wiki.sei.cmu.edu/confluence/display/java/IDS07-J.+Sanitize+untrusted+data+passed+to+the+Runtime.exec%28%29+method

https://github.com/pwntester/SpringBreaker

File Upload Vulnerability

https://www.slideshare.net/HackIT-ukraine/15-technique-to-exploit-file-upload-pages-ebrahim-hegazy

https://medium.com/@519udhaya/unrestricted-file-upload-vulnerability-bba4491a08da

https://book.hacktricks.xyz/pentesting-web/file-upload

https://www.exploit-db.com/exploits/48978

Auth Bypass

https://blog.ripstech.com/2018/cubecart-admin-authentication-bypass/

https://packetstormsecurity.com/files/157563/ATutor-LMS-2.2.4-Weak-Password-Reset-Hash.html

https://ssd-disclosure.com/ssd-advisory-auth-bypass-and-rce-in-infinite-wp-admin-panel/

Deserialisation

https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/

https://nickbloor.co.uk/2017/08/13/attacking-java-deserialization/

https://gist.github.com/DiabloHorn/8630948d953386d2ed575e17f8635ee7

https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html

https://deadcode.me/blog/2016/09/18/Blind-Java-Deserialization-Part-II.html

http://slightlyrandombrokenthoughts.blogspot.com/2010/08/breaking-defensive-serialization.html

https://speakerdeck.com/pwntester/attacking-net-serialization?slide=8

https://cheatsheetseries.owasp.org/cheatsheets/Deserialization_Cheat_Sheet.html

https://brandur.org/fragments/gadgets-and-chains

https://notsosecure.com/remote-code-execution-via-php-unserialize/

https://www.nccgroup.com/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/

https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_WP.pdf

https://www.youtube.com/watch?v=t-zVC-CxYjw&ab_channel=OWASP

https://pentest-tools.com/blog/exploit-dotnetnuke-cookie-deserialization/

https://book.hacktricks.xyz/pentesting-web/deserialization/basic-.net-deserialization-objectdataprovider-gadgets-expandedwrapper-and-json.net

https://book.hacktricks.xyz/pentesting-web/deserialization

https://rhinosecuritylabs.com/research/java-deserializationusing-ysoserial/

https://blog.jamesotten.com/post/applications-manager-rce/

https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet#ysoserial

https://gist.github.com/pwntester/72f76441901c91b25ee7922df5a8a9e4

https://medium.com/@frycos/yet-another-net-deserialization-35f6ce048df7

https://speakerdeck.com/pwntester/attacking-net-serialization?slide=12

https://www.exploit-db.com/exploits/42756

https://research-labs.net/search/exploits/hpe-72-java-deserialization

https://nytrosecurity.com/2018/05/30/understanding-java-deserialization/

https://www.exploit-db.com/docs/english/44756-deserialization-vulnerability.pdf

http://www.pwntester.com/blog/2013/12/16/cve-2011-2894-deserialization-spring-rce/

https://blog.ripstech.com/tags/php-object-injection/

https://medium.com/bugbountywriteup/fireshell-ctf-2019-web-vice-writeup-2deee8d82556

https://github.com/s-n-t/presentations/blob/master/us-18-Thomas-It's-A-PHP-Unserialization-Vulnerability-Jim-But-Not-As-We-Know-It.pdf

SQL Injection

https://www.exploit-db.com/papers/17073

https://github.com/blabla1337/skf-labs/blob/master/kbid-156-sqli-blind.md

https://0x00sec.org/t/taking-sql-injections-further-blind-second-order-sql-injection-tmhc-ctf-shitter-writeup/18122

https://cyberpanda.la/blog/laravel-sql-injections

http://blog.k3170makan.com/2012/01/bit-shifting-blind-injection-simplified.html

https://pulsesecurity.co.nz/articles/postgres-sqli

https://medium.com/@afinepl/postgresql-code-execution-udf-revisited-3b08412f47c1

https://www.infigo.hr/files/INFIGO-TD-2009-04_PostgreSQL_injection_ENG.pdf

https://medium.com/@ismailtasdelen/sql-injection-payload-list-b97656cfd66b

https://hydrasky.com/network-security/sql-injection-bypass-cheatsheet/

https://www.secjuice.com/advanced-sqli-waf-bypass/

https://www.exploit-db.com/papers/17934

https://medium.com/@infinitypaul/laravel-query-builder-security-8ce5e96233d9

https://security.stackexchange.com/questions/7024/is-it-possible-to-test-for-postgres-blindsql-injection-using-pg-sleep-in-a-whe

https://www.websec.ca/kb/sql_injection

https://incogbyte.github.io/sqli_waf_bypass/

https://medium.com/@frycos/finding-sql-injections-fast-with-white-box-analysis-a-recent-bug-example-ca449bce6c76

http://www.mannulinux.org/2015/03/blind-injection-exploitation-with.html

http://www.mannulinux.org/2018/03/erro-based-sql-injection-mysql.html

http://www.mannulinux.org/2020/09/sql-injection-filter-bypass-to-perform.html

https://blog.cobalt.io/a-pentesters-guide-to-sql-injection-sqli-16fd570c3532

https://www.exploit-db.com/exploits/46725

https://blog.pentesteracademy.com/postgresql-udf-command-execution-372f0c68cfed?gi=89e5578c5604

https://blog.pentesteracademy.com/postgresql-udf-command-execution-372f0c68cfed

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20Injection/MySQL%20Injection.md

https://www.open-emr.org/wiki/images/1/11/Openemr_insecurity.pdf

https://www.postgresql.org/docs/8.0/xfunc-sql.html

https://www.dionach.com/blog/postgresql-9-x-remote-command-execution/

https://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt

https://medium.com/@notsoshant/a-not-so-blind-rce-with-sql-injection-13838026331e

https://www.redsiege.com/blog/2018/11/sqli-data-exfiltration-via-dns/

http://pentestmonkey.net/category/cheat-sheet/sql-injection

http://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet

http://www.mannulinux.org/2020/04/exploiting-sql-injection-in-insert.html

https://github.com/21y4d/blindSQLi/blob/master/blindSQLi.py

https://github.com/Dionach/pgexec/blob/master/pg_exec.c

https://www.codeigniter.com/userguide3/database/queries.html#escaping-queries

Type Juggling

https://dzone.com/articles/type-juggling-authentication-bypass-vulnerability

https://hackerone.com/reports/86022

https://docs.google.com/spreadsheets/u/0/d/1oWsmTvEZcfgc_1QkBczNGA3Gcffg_pmgKcak7iZldUw/pub?output=html

https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes-php-type-juggling-d58/

https://labs.f-secure.com/archive/laravel-cookie-forgery-decryption-and-rce/

https://labs.f-secure.com/archive/wordpress-auth-cookie-forgery/

https://owasp.org/www-pdf-archive/PHPMagicTricks-TypeJuggling.pdf

https://docs.google.com/file/d/0ByaHyu9Ur1viWV9yZFVwS3dpQ2M/edit

http://turbochaos.blogspot.com/2013/08/exploiting-exotic-bugs-php-type-juggling.html

https://www.sans.org/blog/php-weak-typing-woes-8212-with-some-pontification-about-code-and-pen-testing/

JS Injection

https://howtonode.org/what-is-this

https://www.npmjs.com/package/safe-eval

https://capacitorset.github.io/mathjs/

https://riptutorial.com/javascript/example/32217/evaled-json-injection

https://medium.com/swlh/secure-code-review-and-penetration-testing-of-node-js-and-javascript-apps-41485b1a9518

https://pwnisher.gitlab.io/nodejs/sandbox/2019/02/21/sandboxing-nodejs-is-hard.html

https://blog.netspi.com/escape-nodejs-sandboxes/

https://humanwhocodes.com/blog/2013/06/25/eval-isnt-evil-just-misunderstood/

http://dfkaye.github.io/2014/03/14/javascript-eval-and-function-constructor/

https://portswigger.net/research/dom-based-angularjs-sandbox-escapes

https://nodejs.org/api/vm.html

https://nodejs.dev/learn/how-much-javascript-do-you-need-to-know-to-use-nodejs

https://nodejs.dev/learn/differences-between-nodejs-and-the-browser

https://blog.netspi.com/escape-nodejs-sandboxes/

https://ibreak.software/2016/08/nodejs-rce-and-a-simple-reverse-shell/

hacksparrow/safe-eval#19

SSTI

https://0day.work/jinja2-template-injection-filter-bypasses/

https://medium.com/@nyomanpradipta120/jinja2-ssti-filter-bypasses-a8d3eb7b000f

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Server%20Side%20Template%20Injection#jinja2

Misc

https://ippsec.rocks/?#

https://www.bitdefender.com/blog/consumer/avoid-malicious-files-double-extensions/

https://js.getwisdom.io/til-js-safely-reversing-unicode-strings/

https://eng.getwisdom.io/awesome-unicode/

https://developer.apple.com/library/archive/documentation/General/Conceptual/DevPedia-CocoaCore/ObjectGraph.html#//apple_ref/doc/uid/TP40008195-CH54-SW1

https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/

https://netsec.ws/?p=331

https://codewhitesec.blogspot.com/2015/03/sh-or-getting-shell-environment-from.html

http://www.jackson-t.ca/runtime-exec-payloads.html