@vigolium/piolium 0.0.1

package/skills/wooyun-legacy/references/bank-penetration.md

@@ -0,0 +1,222 @@
+# Banking Penetration Testing Methodology
+
+> This case study is anonymized and presented for educational purposes in authorized security testing contexts only.
+
+> Based on analysis of 22,132 real WooYun cases
+
+## 1. Banking Attack Surface Layered Model
+
+```
+┌─────────────────────────────────────────────────────────────────────────┐
+│                     Layer 1: Internet Boundary                          │
+├─────────────────────────────────────────────────────────────────────────┤
+│  Online Banking │ Mobile Banking │ WeChat Banking │ Direct Banking │    │
+│  Credit Card Center │ Official Site / Campaign Pages                   │
+└─────────────────────────────────────────────────────────────────────────┘
+                                    │
+                                    |
+┌─────────────────────────────────────────────────────────────────────────┐
+│                   Layer 2: Interface / Channel Layer                     │
+├─────────────────────────────────────────────────────────────────────────┤
+│  Payment Interface │ Card Network Channel │ Quick Pay │ Direct Debit │  │
+│  Aggregated Payment │ Open Banking API                                 │
+└─────────────────────────────────────────────────────────────────────────┘
+                                    │
+                                    |
+┌─────────────────────────────────────────────────────────────────────────┐
+│                     Layer 3: Internal Systems Layer                      │
+├─────────────────────────────────────────────────────────────────────────┤
+│  Core Banking │ Loan System │ Risk Control │ AML │ CRM │ Reporting     │
+└─────────────────────────────────────────────────────────────────────────┘
+```
+
+## 2. High-Risk Vulnerability Types
+
+### Tier 1: Financial Vulnerabilities (68-88% High Severity)
+
+| Vulnerability Type | High Severity % | Banking-Specific Scenario |
+|-------------------|----------------|--------------------------|
+| Password Reset | 88.0% | Online/mobile banking login password, transaction PIN |
+| Withdrawal Flaws | 83.1% | Transfer limit bypass, withdrawal validation defects |
+| Amount Tampering | 83.0% | Transfer amount, investment amount, repayment amount |
+| Payment Flaws | 68.7% | Quick pay, direct debit, interbank transfer |
+
+### Payment Vulnerability Detection (1,056 Cases)
+
+**Manual Testing Checklist**:
+```
+1. Modify amount parameter: amount=0.01 (test server-side validation)
+2. Modify quantity to negative: quantity=-1 (negative transfer)
+3. Replay a successful payment request (test idempotency)
+4. Concurrent submission of the same order (race condition)
+5. Modify payee account/user ID (unauthorized transfer)
+6. Tamper with callback notification (forge payment success)
+```
+
+**Key Parameters**:
+- `amount` / `price` / `total` -> Amount fields
+- `to_account` / `payee_id` -> Payee
+- `sign` / `signature` -> Signature
+
+**Bypass Techniques**:
+```
+Negative value attack: Transfer amount = -1000
+Decimal overflow: amount = 0.001
+Race condition: Multi-threaded concurrent transfers
+Status tampering: Modify status=SUCCESS
+Signature bypass: Delete/empty the signature field
+```
+
+### Tier 2: Authentication and Authorization
+
+| Vulnerability Type | Case Count | Attack Scenario |
+|-------------------|-----------|----------------|
+| Weak Credentials | 7,513 | Online banking admin panel, operations systems |
+| Authorization Bypass | 1,705 | Viewing other users' account information |
+| Verification Code | 334 | Login, transfer, password reset |
+
+## 3. Banking-Specific Attack Surfaces
+
+### 1. Mobile Banking App Security
+
+```
+Client-Side Security
+├── Anti-decompilation protection (hardening strength)
+├── Local storage (sensitive information)
+├── Log leakage
+└── Certificate validation (SSL Pinning)
+
+Communication Security
+├── Encryption algorithms (hardcoded keys)
+├── Request signing (algorithm reverse engineering)
+└── Replay attacks
+
+Business Logic
+├── Login authentication (password/fingerprint/face)
+├── Transaction verification
+└── Transfer limits
+```
+
+**App Penetration Approach**:
+```
+1. Packet capture: Bypass SSL Pinning (Frida/Objection)
+2. Reverse engineering: Unpack -> Signing algorithm reversal -> Key extraction
+3. Hook testing: Bypass face/fingerprint verification, modify limit checks
+```
+
+### 2. Online Banking Systems
+
+```
+Attack approach:
+├── ActiveX control vulnerabilities
+├── Frontend encryption bypass (JS reverse engineering)
+├── Password control bypass
+├── USB token driver vulnerabilities
+├── Bulk transfer interface authorization bypass
+└── Statement/receipt unauthorized download
+```
+
+### 3. Third-Party Payment Interfaces
+
+```
+Attack points:
+├── Merchant key leakage (GitHub search)
+├── Callback signature verification flaws
+├── Async notification replay
+├── Amount validation missing
+└── Merchant ID authorization bypass
+```
+
+## 4. Verification Bypass Techniques
+
+### SMS Verification Code
+```
+├── Brute force (4-6 digits, feasible)
+├── Concurrency (bypass attempt limits)
+├── Reuse (same code used multiple times)
+├── Echo (code returned in response)
+└── Universal codes (0000/1234)
+```
+
+### Facial Recognition
+```
+├── Photo attack
+├── Video attack
+├── Hook return values
+├── Interface replay
+└── Replace facial data
+```
+
+### Transaction Signatures
+```
+├── Hardcoded signing key
+├── Critical fields not signed
+├── Signature verification optional
+└── Signature downgrade attack
+```
+
+## 5. Penetration Paths
+
+### Path 1: External Web Breach
+```
+Information gathering -> Subdomains/Ports/Fingerprinting
+    |
+Vulnerability exploitation (priority order):
+├── 1. Weak credential brute force
+├── 2. Struts2/WebLogic RCE
+├── 3. Business logic vulnerabilities
+└── 4. File upload / SQL injection
+```
+
+### Path 2: Mobile Endpoint Breach
+```
+Static analysis -> Decompile, key search, API extraction
+Dynamic analysis -> Bypass Pinning, packet capture, Hook
+Business testing -> Login/Transfer/Password reset
+```
+
+### Path 3: Supply Chain Attack
+```
+Outsourcing company -> Code/environment leakage
+Equipment vendor -> Preset accounts
+Service provider -> SMS/identity verification
+```
+
+## 6. High-Value Targets
+
+| Target System | Value | What Can Be Achieved |
+|--------------|-------|---------------------|
+| Core Banking | Critical | Account balances, transaction records |
+| Loan System | High | Loan approval, credit limit adjustment |
+| Risk Control System | High | Blocklists, rule configuration |
+| CRM System | Medium | KYC documentation |
+
+## 7. Practical Checklist
+
+### Information Gathering
+- [ ] Subdomain enumeration
+- [ ] GitHub code leakage search
+- [ ] App download and analysis
+- [ ] WeChat official account / mini-program interface discovery
+
+### Vulnerability Detection
+- [ ] Weak credential testing
+- [ ] Business logic (payment/transfer/password reset)
+- [ ] Authorization bypass testing
+- [ ] Interface security (signing/encryption)
+- [ ] App client-side security
+
+### Deep Exploitation
+- [ ] Payment amount tampering
+- [ ] Verification code bypass
+- [ ] Facial recognition bypass
+- [ ] Concurrent race conditions
+
+---
+
+**Reference methodologies**:
+- See {baseDir}/references/logic-flaws.md (payment tampering, authorization bypass) and {baseDir}/references/sql-injection.md (injection techniques) for related methodology.
+
+**Representative case patterns**:
+- A major bank's system vulnerability leading to shell access (affecting third-party payment integrations)
+- An education platform leading to a foundation system (allowing donation amount tampering)

package/skills/wooyun-legacy/references/checklists/command-execution-checklist.md

@@ -0,0 +1,119 @@
+# Command Execution Testing Checklist
+> Derived from 57 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Frequency | Notes |
+|-----------|-----------|-------|
+| `from` | 1x | Login redirect; deserialization entry |
+| `param` | 1x | Generic parameter in SAP/enterprise systems |
+| `action` / `module` | 2x | MVC dispatch parameters |
+| `addr` | 1x | Network address inputs (ping/traceroute) |
+| `itemId` | 1x | Item lookup triggering backend processing |
+| `pwd` / `pwpwd` | 2x | Authentication parameters |
+| `authenticationEntry` | 1x | Spring Security entry point |
+| `siteroot` | 1x | Configuration parameters |
+
+## Attack Pattern Distribution
+| Pattern | Count | Percentage |
+|---------|-------|------------|
+| Direct command execution | 38 | 67% |
+| Getshell via RCE | 9 | 16% |
+| Information leakage chain | 5 | 9% |
+| Deserialization to RCE | 5 | 9% |
+
+## Vulnerability Sources (ranked by frequency)
+
+### 1. Apache Struts2 OGNL Injection (~45% of cases)
+The single most common command execution vector in the dataset.
+- S2-045, S2-046, S2-048, S2-052 and related CVEs
+- Targets: `.action` and `.do` URL endpoints
+- Detection: Look for `struts2` in response headers or URL patterns
+
+**Test indicators:**
+```
+/login.action
+/index.do
+/upload.action
+Content-Type: %{...}  (S2-045)
+```
+
+### 2. Java Deserialization (~20% of cases)
+- JBoss JMXInvokerServlet / EJBInvokerServlet
+- WebLogic T3 protocol
+- Jenkins CLI
+- Spring Framework
+
+**Test endpoints:**
+```
+/invoker/JMXInvokerServlet
+/invoker/EJBInvokerServlet
+/jmx-console/
+/web-console/
+```
+
+### 3. Middleware Misconfiguration (~15% of cases)
+- JBoss default deployment consoles
+- Resin admin panel exposed
+- WebLogic console with default credentials
+- Tomcat manager with weak auth
+
+### 4. Application-Level Command Injection (~10% of cases)
+- SAP systems: `EXECUTE_CMD;CMDLINE=cmd.exe%20/c%20...`
+- Network management tools with ping/traceroute functions
+- Monitoring systems executing OS commands
+
+### 5. PHP Code Execution (~10% of cases)
+- `eval()` with user-controlled input
+- Unsafe `unserialize()`
+- Template injection
+
+## Common Exploitation Payloads
+
+### Struts2 OGNL
+```
+%{(#context['com.opensymphony.xwork2.dispatcher.
+  HttpServletResponse'].getWriter().println('test'))}
+
+redirect:${#context...}
+```
+
+### JBoss Deserialization
+```
+POST /invoker/JMXInvokerServlet HTTP/1.1
+[serialized Java object payload]
+```
+
+### OS Command Chaining
+```
+; whoami
+| cat /etc/passwd
+`id`
+$(whoami)
+```
+
+## Quick Test Vectors
+```
+1. Identify framework: Look for .action/.do URLs (Struts2)
+2. Check /invoker/JMXInvokerServlet (JBoss deser)
+3. Check /jmx-console/ (JBoss misconfiguration)
+4. Check management ports: 8080, 9090, 4848
+5. Test Struts2: Content-Type manipulation
+6. Test command injection: ; whoami | id `id`
+7. Check resin-admin, /manager/html (middleware consoles)
+```
+
+## High-Value Targets
+- **Government systems**: Frequently running outdated Struts2
+- **Financial/banking systems**: Legacy Java middleware
+- **Telecom infrastructure**: JBoss-based management platforms
+- **Enterprise OA systems**: SAP, Oracle middleware
+- **CDN/infrastructure nodes**: Internal management consoles
+
+## Root Causes
+| Cause | Frequency |
+|-------|-----------|
+| Unpatched Struts2 framework | Most common |
+| Exposed management consoles | Very common |
+| Java deserialization in services | Common |
+| Direct OS command concatenation | Occasional |
+| Unsafe eval/unserialize in PHP | Occasional |

package/skills/wooyun-legacy/references/checklists/csrf-checklist.md

@@ -0,0 +1,74 @@
+# CSRF Testing Checklist
+> Derived from ~30 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context |
+|-----------|---------|
+| `formhash` | Forum/CMS anti-CSRF tokens (often decorative) |
+| `callback` | JSONP endpoints |
+| `action` | State-changing operations |
+| `uid`, `touid` | User targeting in social features |
+| `newPassword` | Password change forms |
+| `email` | Account binding/unbinding |
+| `nickname`, `sex`, `year` | Profile modification |
+| `status`, `content` | Post/comment creation |
+
+## Common Attack Patterns
+1. **No token validation** (most common) - State-changing requests lack CSRF tokens entirely
+2. **GET-based state changes** - Follow, post, profile edit via GET requests exploitable with `<img>` tags
+3. **Decorative tokens** - Token present in form but server never validates it
+4. **Missing Referer check** - No origin verification on POST requests
+5. **Token not bound to session** - Any valid token works for any user
+6. **OAuth binding CSRF** - Third-party account binding lacks `state` parameter
+
+## High-Impact CSRF Targets
+- Password/email change (account takeover chain)
+- OAuth account binding (hijack via CSRF)
+- Admin panel operations (password change without old password verification)
+- Payment address modification
+- Social actions (follow, post, comment) for worm propagation
+
+## Bypass Techniques
+- **GET fallback**: POST endpoints that also accept GET requests
+- **Referer stripping**: Use `<meta name="referrer" content="no-referrer">`
+- **Subdomain trust**: Referer check only validates partial domain match
+- **Flash/XMLHttpRequest**: Cross-origin requests with `withCredentials: true`
+- **Token reuse**: Same token valid across sessions or users
+
+## Quick Test Vectors
+```html
+<!-- Basic form auto-submit -->
+<form action="TARGET_URL" method="POST" id="csrf">
+  <input type="hidden" name="param" value="value"/>
+</form>
+<script>document.getElementById('csrf').submit();</script>
+
+<!-- GET-based via image tag -->
+<img src="https://target.com/action?param=value"/>
+
+<!-- XMLHttpRequest with credentials -->
+<script>
+var x = new XMLHttpRequest();
+x.open("POST", "TARGET_URL", true);
+x.withCredentials = true;
+x.setRequestHeader("Content-Type",
+  "application/x-www-form-urlencoded");
+x.send("param=value");
+</script>
+```
+
+## Testing Methodology
+1. Identify all state-changing endpoints (POST and GET)
+2. Check for CSRF tokens in requests
+3. Remove/modify token and replay -- does it still succeed?
+4. Check if GET method is accepted for POST endpoints
+5. Test Referer header removal and spoofing
+6. Verify token is bound to current session
+7. Test OAuth flows for missing `state` parameter
+
+## Common Root Causes
+- Developer trusts frontend to prevent duplicate submissions
+- Token added to form HTML but never validated server-side
+- Reliance on Referer header (easily stripped)
+- GET endpoints for state-changing operations
+- No re-authentication for sensitive operations (password change)

package/skills/wooyun-legacy/references/checklists/file-upload-checklist.md

@@ -0,0 +1,108 @@
+# File Upload Testing Checklist
+> Derived from 30 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context | Notes |
+|-----------|---------|-------|
+| `Filedata` | Multipart upload | Standard upload field name |
+| `method` | Upload handler dispatch | Method parameter in upload APIs |
+| `Connector` | FCKEditor connector | CMS file manager connectors |
+| `LMID` / `varnum` / `ids` | Upload form fields | Auxiliary parameters |
+| `password` / `c` / `m` | Auth + upload | Combined auth bypass + upload |
+
+## Attack Pattern Distribution
+| Pattern | Count | Percentage |
+|---------|-------|------------|
+| Unrestricted file upload | 6 | 40% |
+| Getshell via upload | 3 | 20% |
+| Extension bypass | 3 | 20% |
+| Weak auth + upload | 1 | 7% |
+| Directory traversal + upload | 1 | 7% |
+
+## Common Upload Bypass Techniques
+
+### 1. Client-Side Only Validation (~35% of cases)
+The most common flaw: JavaScript-only file type checks with no server-side validation.
+- Bypass: Intercept request with proxy, change filename extension
+- Bypass: Disable JavaScript and submit directly
+
+### 2. Null Byte Truncation
+```
+shell.php%00.jpg        (PHP < 5.3.4)
+shell.jsp%00.txt        (older Java containers)
+shell.asp%00.jpg        (IIS + ASP)
+```
+
+### 3. Extension Bypass
+```
+.php5, .phtml, .pht     (PHP alternatives)
+.jspx, .jspa, .jsw      (JSP alternatives)
+.asp, .asa, .cer, .cdx   (ASP/IIS alternatives)
+.aspx, .ashx, .asmx      (ASP.NET alternatives)
+```
+
+### 4. WAF Bypass via Extended ASCII
+Append extended ASCII characters after the extension:
+```
+shell.php[0x7f]         (DEL character)
+shell.php[0xcc]         (extended ASCII)
+shell.php[0x88]         (extended ASCII)
+```
+Confirmed to bypass security products on Windows+Apache.
+
+### 5. Content-Type Manipulation
+```
+Content-Type: image/jpeg    (while uploading .php)
+Content-Type: image/gif     (with GIF89a header prepended)
+```
+
+### 6. Double Extension / Path Manipulation
+```
+shell.php.jpg            (Apache misconfiguration)
+shell.jpg/.php           (Nginx parsing vulnerability)
+../shell.php             (path traversal in filename)
+```
+
+## Common Vulnerable Upload Endpoints
+```
+/upload.jsp
+/excelUpload.jsp         (OA systems)
+/uploadImageFile_do.jsp  (CMS systems)
+/kindeditor/upload_json  (rich text editors)
+/fckeditor/editor/filemanager/connectors/
+/ueditor/controller      (UEditor)
+/regist/expappend_file.jsp
+```
+
+## Quick Test Vectors
+```
+1. Upload .php/.jsp file with valid image Content-Type
+2. Upload file.php%00.jpg (null byte truncation)
+3. Upload file.phtml / file.php5 (alternative extensions)
+4. Upload with ../ in filename (path traversal)
+5. Prepend GIF89a to PHP webshell (magic byte bypass)
+6. Upload .htaccess to enable PHP execution in upload dir
+7. Test double extension: file.php.jpg
+```
+
+## Post-Upload Verification
+- Determine upload path from response or predictable naming
+- Check if uploaded file is directly accessible via HTTP
+- Check if file extension is preserved or renamed
+- Check if file content is re-processed (image resize strips code)
+
+## High-Value Targets
+- **OA/Enterprise systems**: Excel/document upload features
+- **CMS admin panels**: Image/file upload in content editors
+- **Government procurement systems**: Attachment upload in bid submissions
+- **Hospital/edu systems**: Document submission portals
+- **Rich text editors**: FCKEditor, KindEditor, UEditor connectors
+
+## Root Causes
+| Cause | Frequency |
+|-------|-----------|
+| Client-side only validation | Most common |
+| No server-side extension check | Very common |
+| Allowlist not enforced on server | Common |
+| Predictable upload paths | Common |
+| Upload directory allows execution | Common |

package/skills/wooyun-legacy/references/checklists/info-disclosure-checklist.md

@@ -0,0 +1,114 @@
+# Information Disclosure Testing Checklist
+> Derived from ~56 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context |
+|-----------|---------|
+| `id`, `uid` | Sequential resource identifiers |
+| `order_id`, `orderId` | Order enumeration |
+| `callback` | JSONP endpoints leaking user data |
+| `method` | API method selectors |
+| `p`, `page` | Pagination revealing total counts |
+| `inputFile` | File read endpoints |
+| `query`, `q` | Search endpoints reflecting data |
+
+## Common Attack Patterns (by frequency)
+1. **Source code/config exposure** (most common)
+   - `.svn/entries` or `.svn/wc.db` accessible
+   - `.git/config` or `.git/HEAD` accessible
+   - Backup files: `*.bak`, `*.sql`, `*.tar.gz`, `website.rar`
+   - `web.config`, `database.php`, `.env` exposed
+2. **Log file exposure**
+   - Application logs containing sessions, credentials
+   - Debug endpoints left enabled in production
+3. **API data over-exposure**
+   - JSONP endpoints returning user data cross-origin
+   - API responses including more fields than UI displays
+   - Sequential ID enumeration on order/user endpoints
+4. **Database credential leak**
+   - Config files with plaintext DB credentials
+   - Error messages revealing connection strings
+   - GitHub/code repository credential exposure
+5. **Session/credential leak**
+   - Session tokens in log files
+   - Credentials in URL parameters (GET requests)
+   - Default management passwords in documentation
+
+## Source Control Exposure
+| Path | Tool | Risk |
+|------|------|------|
+| `.svn/entries` | SVN | Source code + history |
+| `.svn/wc.db` | SVN 1.7+ | SQLite with full paths |
+| `.git/config` | Git | Remote URLs, credentials |
+| `.git/HEAD` | Git | Branch info, clone source |
+| `.DS_Store` | macOS | Directory listing |
+| `.idea/` | JetBrains | Project config, DB creds |
+| `WEB-INF/web.xml` | Java | Servlet mappings, config |
+
+## Quick Test Vectors
+```
+# Source control files
+/.svn/entries
+/.svn/wc.db
+/.git/config
+/.git/HEAD
+/.DS_Store
+
+# Backup files
+/backup.sql
+/backup.tar.gz
+/website.rar
+/db.sql
+/dump.sql
+/*.bak
+
+# Configuration files
+/web.config
+/wp-config.php
+/config/database.yml
+/application.properties
+/.env
+/phpinfo.php
+
+# Log files
+/logs/
+/log/
+/debug.log
+/error.log
+/seeyon/logs/ctp.log
+
+# JSONP data leak
+/api/userinfo?callback=test
+
+# GitHub search for credentials
+site:github.com "company.com" password
+site:github.com "company.com" smtp
+```
+
+## Testing Methodology
+1. Enumerate common sensitive file paths (source control, backups, configs)
+2. Check for directory listing on all discovered directories
+3. Search GitHub/GitLab for organization credential leaks
+4. Test JSONP endpoints for cross-origin data exposure
+5. Check error pages for stack traces and config details
+6. Probe log file locations for session/credential leakage
+7. Test sequential ID enumeration on data endpoints
+8. Check API responses for excessive data exposure
+9. Scan for debug/admin endpoints left in production
+
+## Information Escalation Chain
+```
+Source code leak → Database credentials → Full database access
+GitHub credential leak → Email access → VPN/internal access
+Log file exposure → Session tokens → Account takeover
+JSONP endpoint → User data → Credential stuffing
+```
+
+## Common Root Causes
+- Development files (.svn, .git) deployed to production
+- Backup files stored in web-accessible directories
+- Debug/logging features enabled in production
+- JSONP endpoints without access control
+- Error messages revealing internal details
+- Credentials committed to public code repositories
+- Default management interfaces left accessible