Skip to content

Instantly share code, notes, and snippets.

View aashishrbhandari's full-sized avatar
🎯
Focusing

Ashish R Bhandari aashishrbhandari

🎯
Focusing
View GitHub Profile
SQL Injection Types: Ref: https://www.imperva.com/learn/application-security/sql-injection-sqli/
In-band SQLi:
Use same communication channel to both launch the attack and gather results.
SubTypes:
Error-based SQLi:
relies on error messages thrown by the database server to obtain information about the structure of the database.
Union-based SQLi:
UNION SQL operator to combine the results of two or more SELECT statements into a single result which is then returned as part of the HTTP response.
Inferential (Blind) SQLi
No data is actually transferred via the web application and the attacker would not be able to see the result of an attack in-band (which is why such attacks are commonly referred to as “Blind SQL Injection Attacks”).
# Linux CLI Quicky
echo -n "Ashish" | md5sum | cut -d" " -f1
# Python Quicky One
python3 -c 'import hashlib; print(hashlib.md5(b"Ashish").hexdigest())'
# LDAP
ldapsearch -x -h 127.0.0.1 -b "dc=domain,dc=com" -D user@domain -W
"""
Python3
How to Install
apt-get update && apt-get install -y python3-opencv
pip3 install --upgrade pip # Important
pip3 install sklearn matplotlib numpy opencv-python scikit-image
cat BL/socialnet/domains | awk '{ OFS = ","; print "56",$1,"*" }' >> data_set2.txt
cat BL/forum/domains | awk '{ OFS = ","; print "19",$1,"*" }' >> data_set2.txt
cat BL/finance/banking/domains | awk '{ OFS = ","; print "5",$1,"*" }' >> data_set2.txt
cat BL/finance/realestate/domains | awk '{ OFS = ","; print "49",$1,"*" }' >> data_set2.txt
cat BL/finance/banking/domains | awk '{ OFS = ","; print "18",$1,"*" }' >> data_set2.txt
cat BL/finance/realestate/domains | awk '{ OFS = ","; print "18",$1,"*" }' >> data_set2.txt
cat BL/finance/insurance/domains | awk '{ OFS = ","; print "18",$1,"*" }' >> data_set2.txt
cat BL/finance/moneylending/domains | awk '{ OFS = ","; print "18",$1,"*" }' >> data_set2.txt
cat 3000_unique_domains.txt | xargs -P 30 -n 1 -I{} curl "{}" -s -x 10.139.232.245:8080 --max-time 6.0 -w "Status: %{response_code}, Total-Time: %{time_total}\n" | tee -a test_4-cc30-17_50-4_may_2021-log.txt
cat pi_blocklist_porn_top1m.list | xargs -P 30 -n 1 -I{} curl "{}" -s -x 10.139.232.245:8080 --max-time 6.0 -w "Status: %{response_code}, Total-Time: %{time_total}, Url: %{url_effective}, Socket: %{local_ip}:%{local_port} \n" -o /dev/null| tee -a test_4-cc30-17_50-4_may_2021-log.txt
cat pi_blocklist_porn_top1m.list | xargs -P 30 -n 1 -I{} curl "{}" -s -x 10.139.232.245:8080 --max-time 6.0 -w "Status: %{response_code}, Total-Time: %{time_total}, Url: %{url_effective}, Socket: %{local_ip}:%{local_port} \n" -o /dev/null| tee -a test_4-cc30-17_50-4_may_2021-log.txt
COUNTER_1=0; cat pi_blocklist_porn_top1m.list | xargs -P 30 -n 1 -I{} curl "{}" -s -x 10.139.232.245:8080 --max-time 6.0 -w "Status: %{response_code}, Total-Time: %{time_total}, Url: %{url_effective}, Socket: %{local_ip}:%{local_port} \n" -o /de
CSRF:
Cross-Site Request Forgery - Cross-Site Request Forgery (CSRF) is a malicious attack that tricks the user’s web browser to perform undesired actions so that they appear as if an authorized user is performing those actions.
OWASP:
Open Web Application Security Project
Caching at the Object Level
1. Cache ASide
Easiest one used by me
Check the Cache
IF Cache Found -> Return
Else -> Ask DB
IF DB Found -> Add To Cache and Return
Else -> Do NOT Cache and Return NULL
----------------------
Report Table Creation
----------------------
website_name, download_size, upload_size, request_count, elapsed_time
username, website_name, download_size, upload_size, request_count, elapsed_time
=============
Single Table
record_id
client_id
request_id
date_time
elapsed_time
status
size
upload
download
bypassed
# Best Practise
# Reference: https://stackoverflow.com/questions/11482342/read-a-large-zipped-text-file-line-by-line-in-python/11482347
# If Reading a Zipped/Compressed File
import zipfile
with zipfile.ZipFile(zip_file) as z:
with z.open(zip_file) as f: