MANY

Memory_Exploits/README.md

@@ -99,7 +99,7 @@ mbstowcs(buf1, string1, sizeof(buf1)-1);
 
 ----
 
-## Data Type Bugs
+## Data Type Signedness
 
 * Primitive data types (32 bit):
 	- signed char/unsigned char
@@ -110,7 +110,24 @@ mbstowcs(buf1, string1, sizeof(buf1)-1);
 	- size_t (unsigned)
 	- size_t (signed)
 
-* Integer overflow: Exceeding the amount of data in integer will result in **wrapping**. In the example below, x will be 0:
+
+* By default all data types are signed unless specifically declared otherwise.
+* Many functions which accept size arguments take unsigned values.
+
+
+* char y=-1 has the same bit representation than  unsigned char x=255.
+
+* A large value in the unsigned type (highest bit set) is a negative value in the signed type.
+
+* Function **read()** takes only unsigned values for lenght. So if this value is negative, from a if comparison, it will overflow.
+
+* For example, if lenght is **-1** (which is 0xFFFFFFF), when the length check is performed, it is asking if -1 is less than a MAXNUMBER. Then, when the lenght is passed to read, it is converted to unsigned and becomes the unsigned equivalent of -1 (which for 32 bits is 42949672965).
+
+
+
+---
+## Integer overflow
+*  Exceeding the amount of data in integer will result in **wrapping**. In the example below, x will be 0:
 
 ```
 x = 255;
@@ -153,9 +170,38 @@ int getData(int sock)
 
 ```
 
-### Auding Tips
+------------------
+
+## Metacharacter Injection
+
+* In shell: quotes and semi-collon are metacharacters.
+
+* Example, a command to unzip some input file could lead to a second executable command if the input has a **;**:
+
+```
+void extractUserZip(char *userFile)
+{
+	char command[1024];
+	snprintf(command, 1023, "unzip %s", userFile);
+	system(command);
+	return;
+}
+
+```
+
+
+----
+
+
+## Auding Tips
 
 * grep for malloc() and other memory allocation functions.
+* look at the data types for size calculation.
+* look at values used for size checks: are they signed?
+* what happens if negative values are provided.
+* look for eval functions such as **system()**.
+
+
 
 ---------------------------
 

Web_Security/README.md

@@ -477,6 +477,7 @@ GIF89a(...binary data...)
 <?php phpinfo();  ?> (...
 ```
 
+
 ### Identifying File Handling Bugs
 
 * Fuzz and grep response for file system related messages:
@@ -493,6 +494,24 @@ qr / ((could not|cannot|unable to) (open|find|access|read)|(path|file) not found
 ```
 
 
+###  Meta-character Injection Bugs
+
+* File Input/Output is a common place where meta-character injection comes into play.
+
+* For example if file ="../../../../../etc/passwd" below:
+
+```
+$file = $_GET['file'];
+$fd = fopen("/var/www/$file");
+```
+* Even if it had a txt extension it wouldn't matter. The reason is that PHP strings are indiferent to NLL byte, so all  the attacker needs to insert is "../../../../../etc/passwd%00":
+
+```
+$file = $_GET['file'];
+$fd = fopen("/var/www/$file.txt");
+```
+* PHP NULL byte insertion and directory traversal are common.
+
 
 ---
 

Web_Security/SQLi/README.md

@@ -2,9 +2,18 @@
 
 ![](http://i.imgur.com/AcVJKT2.png)
 
+* SQL works by building query statements, these statements are intended to be readbale and intuitive.
+
+
 * A SQL query  search can be easily manipulated and assume that a SQL query search is a reliable command. This means  that SQL searches are capable of passing, unnoticed, by access control mechanisms. 
 * Using methods of diverting standard authentication and by checking the authorization credentials, you can gain access to important information stored in a database. 
 
+* Exploitation:
+	- Dumping contents from the database.
+	- Inserting new data.
+	- Modifying existing data.
+	- Writing to disk.
+
 ## The Simplest Example
 
 A parameter passed for a name of a user: