Merge branch 'master' into update_CVE-2026-22730__SQL_Injection_in_Spring_AI_s_Maria_20260319_131806

Author: carlospolop

.github/workflows/auto_merge_approved_prs.yml

@@ -120,8 +120,9 @@ jobs:
           echo "Authorized user: $authorized_user"
           echo "Looking for PRs with exact comment 'merge' from $authorized_user..."
 
-          # Get all open PRs
-          prs=$(gh_with_retry pr list --state open --json number,title,url,author --repo "$GITHUB_REPOSITORY")
+          # Get all open PRs, paginating through the full result set instead of
+          # relying on `gh pr list`'s default page size.
+          prs=$(gh_with_retry api --paginate "repos/$GITHUB_REPOSITORY/pulls?state=open&per_page=100" | jq -s 'add | map({number, title, url: .html_url, author: {login: .user.login}})')
 
           if [ "$prs" = "[]" ]; then
             echo "No open PRs found."

src/SUMMARY.md

@@ -9,7 +9,9 @@
 # 🤩 Generic Methodologies & Resources
 
 - [Pentesting Methodology](generic-methodologies-and-resources/pentesting-methodology.md)
+- [Fuzzing Methodology](generic-methodologies-and-resources/fuzzing.md)
 - [External Recon Methodology](generic-methodologies-and-resources/external-recon-methodology/README.md)
+  - [Database Leaks](generic-methodologies-and-resources/external-recon-methodology/database-leaks.md)
   - [Wide Source Code Search](generic-methodologies-and-resources/external-recon-methodology/wide-source-code-search.md)
   - [Github Dorks & Leaks](generic-methodologies-and-resources/external-recon-methodology/github-leaked-secrets.md)
 - [Pentesting Network](generic-methodologies-and-resources/pentesting-network/README.md)
@@ -92,6 +94,7 @@
   - [Defi/AMM Hook Precision](blockchain/blockchain-and-crypto-currencies/defi-amm-hook-precision.md)
   - [Defi Amm Virtual Balance Cache Exploitation](blockchain/blockchain-and-crypto-currencies/defi-amm-virtual-balance-cache-exploitation.md)
   - [Mutation Testing With Slither](blockchain/smart-contract-security/mutation-testing-with-slither.md)
+  - [Erc 4337 Smart Account Security Pitfalls](blockchain/blockchain-and-crypto-currencies/erc-4337-smart-account-security-pitfalls.md)
   - [Value Centric Web3 Red Teaming](blockchain/blockchain-and-crypto-currencies/value-centric-web3-red-teaming.md)
   - [Web3 Signing Workflow Compromise Safe Delegatecall Proxy Takeover](blockchain/blockchain-and-crypto-currencies/web3-signing-workflow-compromise-safe-delegatecall-proxy-takeover.md)
 - [Lua Sandbox Escape](generic-methodologies-and-resources/lua/bypass-lua-sandboxes/README.md)
@@ -122,27 +125,33 @@
   - [Cisco - vmanage](linux-hardening/privilege-escalation/cisco-vmanage.md)
   - [Containerd (ctr) Privilege Escalation](linux-hardening/privilege-escalation/containerd-ctr-privilege-escalation.md)
   - [D-Bus Enumeration & Command Injection Privilege Escalation](linux-hardening/privilege-escalation/d-bus-enumeration-and-command-injection-privilege-escalation.md)
-  - [Docker Security](linux-hardening/privilege-escalation/docker-security/README.md)
-    - [Abusing Docker Socket for Privilege Escalation](linux-hardening/privilege-escalation/docker-security/abusing-docker-socket-for-privilege-escalation.md)
-    - [AppArmor](linux-hardening/privilege-escalation/docker-security/apparmor.md)
-    - [AuthZ& AuthN - Docker Access Authorization Plugin](linux-hardening/privilege-escalation/docker-security/authz-and-authn-docker-access-authorization-plugin.md)
-    - [CGroups](linux-hardening/privilege-escalation/docker-security/cgroups.md)
-    - [Docker --privileged](linux-hardening/privilege-escalation/docker-security/docker-privileged.md)
-    - [Docker Breakout / Privilege Escalation](linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/README.md)
-      - [release_agent exploit - Relative Paths to PIDs](linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/release_agent-exploit-relative-paths-to-pids.md)
-      - [Docker release_agent cgroups escape](linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/docker-release_agent-cgroups-escape.md)
-      - [Sensitive Mounts](linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md)
-    - [Namespaces](linux-hardening/privilege-escalation/docker-security/namespaces/README.md)
-      - [CGroup Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/cgroup-namespace.md)
-      - [IPC Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/ipc-namespace.md)
-      - [PID Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/pid-namespace.md)
-      - [Mount Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/mount-namespace.md)
-      - [Network Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/network-namespace.md)
-      - [Time Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/time-namespace.md)
-      - [User Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/user-namespace.md)
-      - [UTS Namespace](linux-hardening/privilege-escalation/docker-security/namespaces/uts-namespace.md)
-    - [Seccomp](linux-hardening/privilege-escalation/docker-security/seccomp.md)
-    - [Weaponizing Distroless](linux-hardening/privilege-escalation/docker-security/weaponizing-distroless.md)
+  - [Container Security](linux-hardening/privilege-escalation/container-security/README.md)
+    - [Runtimes And Engines](linux-hardening/privilege-escalation/container-security/runtimes-and-engines.md)
+    - [Runtime API And Daemon Exposure](linux-hardening/privilege-escalation/container-security/runtime-api-and-daemon-exposure.md)
+    - [Authorization Plugins](linux-hardening/privilege-escalation/container-security/authorization-plugins.md)
+    - [Image Security And Secrets](linux-hardening/privilege-escalation/container-security/image-security-and-secrets.md)
+    - [Assessment And Hardening](linux-hardening/privilege-escalation/container-security/assessment-and-hardening.md)
+    - [Sensitive Host Mounts](linux-hardening/privilege-escalation/container-security/sensitive-host-mounts.md)
+    - [Privileged Containers](linux-hardening/privilege-escalation/container-security/privileged-containers.md)
+    - [Distroless](linux-hardening/privilege-escalation/container-security/distroless.md)
+    - [Protections](linux-hardening/privilege-escalation/container-security/protections/README.md)
+      - [AppArmor](linux-hardening/privilege-escalation/container-security/protections/apparmor.md)
+      - [Capabilities](linux-hardening/privilege-escalation/container-security/protections/capabilities.md)
+      - [CGroups](linux-hardening/privilege-escalation/container-security/protections/cgroups.md)
+      - [Masked Paths](linux-hardening/privilege-escalation/container-security/protections/masked-paths.md)
+      - [No New Privileges](linux-hardening/privilege-escalation/container-security/protections/no-new-privileges.md)
+      - [Read Only Paths](linux-hardening/privilege-escalation/container-security/protections/read-only-paths.md)
+      - [Seccomp](linux-hardening/privilege-escalation/container-security/protections/seccomp.md)
+      - [SELinux](linux-hardening/privilege-escalation/container-security/protections/selinux.md)
+      - [Namespaces](linux-hardening/privilege-escalation/container-security/protections/namespaces/README.md)
+        - [CGroup Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/cgroup-namespace.md)
+        - [IPC Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/ipc-namespace.md)
+        - [PID Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/pid-namespace.md)
+        - [Mount Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/mount-namespace.md)
+        - [Network Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/network-namespace.md)
+        - [Time Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/time-namespace.md)
+        - [User Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/user-namespace.md)
+        - [UTS Namespace](linux-hardening/privilege-escalation/container-security/protections/namespaces/uts-namespace.md)
   - [Escaping from Jails](linux-hardening/privilege-escalation/escaping-from-limited-bash.md)
   - [Posix Cpu Timers Toctou Cve 2025 38352](linux-hardening/privilege-escalation/linux-kernel-exploitation/posix-cpu-timers-toctou-cve-2025-38352.md)
   - [euid, ruid, suid](linux-hardening/privilege-escalation/euid-ruid-suid.md)
@@ -279,6 +288,7 @@
   - [Semanagevolume Perform Volume Maintenance Tasks](windows-hardening/windows-local-privilege-escalation/semanagevolume-perform-volume-maintenance-tasks.md)
   - [Service Triggers](windows-hardening/windows-local-privilege-escalation/service-triggers.md)
   - [Telephony Tapsrv Arbitrary Dword Write To Rce](windows-hardening/windows-local-privilege-escalation/telephony-tapsrv-arbitrary-dword-write-to-rce.md)
+  - [Secure Desktop Accessibility Registry Propagation LPE (RegPwn)](windows-hardening/windows-local-privilege-escalation/secure-desktop-accessibility-registry-propagation-regpwn.md)
   - [Uiaccess Admin Protection Bypass](windows-hardening/windows-local-privilege-escalation/uiaccess-admin-protection-bypass.md)
   - [Windows C Payloads](windows-hardening/windows-local-privilege-escalation/windows-c-payloads.md)
 - [Active Directory Methodology](windows-hardening/active-directory-methodology/README.md)
@@ -819,7 +829,7 @@
     - [Ret2win - arm64](binary-exploitation/stack-overflow/ret2win/ret2win-arm64.md)
   - [Stack Shellcode](binary-exploitation/stack-overflow/stack-shellcode/README.md)
     - [Stack Shellcode - arm64](binary-exploitation/stack-overflow/stack-shellcode/stack-shellcode-arm64.md)
-  - [Stack Pivoting - EBP2Ret - EBP chaining](binary-exploitation/stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md)
+  - [Stack Pivoting](binary-exploitation/stack-overflow/stack-pivoting.md)
   - [Uninitialized Variables](binary-exploitation/stack-overflow/uninitialized-variables.md)
   - [ROP & JOP](binary-exploitation/rop-return-oriented-programing/README.md)
   - [BROP - Blind Return Oriented Programming](binary-exploitation/rop-return-oriented-programing/brop-blind-return-oriented-programming.md)
@@ -830,15 +840,15 @@
     - [Leaking libc address with ROP](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/README.md)
       - [Leaking libc - template](binary-exploitation/rop-return-oriented-programing/ret2lib/rop-leaking-libc-address/rop-leaking-libc-template.md)
     - [One Gadget](binary-exploitation/rop-return-oriented-programing/ret2lib/one-gadget.md)
-    - [Ret2lib + Printf leak - arm64](binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md)
+    - [Ret2lib + Printf leak - arm64](binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-printf-leak-arm64.md)
   - [Ret2syscall](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/README.md)
-    - [Ret2syscall - ARM64](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md)
+    - [Ret2syscall - arm64](binary-exploitation/rop-return-oriented-programing/rop-syscall-execv/ret2syscall-arm64.md)
   - [Ret2vDSO](binary-exploitation/rop-return-oriented-programing/ret2vdso.md)
   - [SROP - Sigreturn-Oriented Programming](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/README.md)
-    - [SROP - ARM64](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md)
+    - [SROP - arm64](binary-exploitation/rop-return-oriented-programing/srop-sigreturn-oriented-programming/srop-arm64.md)
   - [Mediatek Xflash Carbonara Da2 Hash Bypass](hardware-physical-access/firmware-analysis/mediatek-xflash-carbonara-da2-hash-bypass.md)
   - [Synology Encrypted Archive Decryption](hardware-physical-access/firmware-analysis/synology-encrypted-archive-decryption.md)
-  - [Windows Seh Overflow](binary-exploitation/stack-overflow/windows-seh-overflow.md)
+  - [Windows SEH Overflow](binary-exploitation/stack-overflow/windows-seh-overflow.md)
 - [Array Indexing](binary-exploitation/array-indexing.md)
 - [Chrome Exploiting](binary-exploitation/chrome-exploiting.md)
 - [Common Exploiting Problems Unsafe Relocation Fixups](binary-exploitation/common-exploiting-problems-unsafe-relocation-fixups.md)

src/binary-exploitation/basic-stack-binary-exploitation-methodology/README.md

@@ -101,7 +101,7 @@ Something to take into account is that usually **just one exploitation of a vuln
 
 #### Via EBP/RBP
 
-- [**Stack Pivoting / EBP2Ret / EBP Chaining**](../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md): Control the ESP to control RET through the stored EBP in the stack.
+- [**Stack Pivoting**](../stack-overflow/stack-pivoting.md): Control the ESP to control RET through the stored EBP in the stack.
   - Useful for **off-by-one** stack overflows
   - Useful as an alternate way to end controlling EIP while abusing EIP to construct the payload in memory and then jumping to it via EBP
 

src/binary-exploitation/common-binary-protections-and-bypasses/aslr/ret2ret.md

@@ -1,12 +1,12 @@
-# Ret2ret & Reo2pop
+# Ret2ret & Ret2pop
 
 {{#include ../../../banners/hacktricks-training.md}}
 
 ## Ret2ret
 
 The main **goal** of this technique is to try to **bypass ASLR by abusing an existing pointer in the stack**.
 
-Basically, stack overflows are usually caused by strings, and **strings end with a null byte at the end** in memory. This allows to try to reduce the place pointed by na existing pointer already existing n the stack. So if the stack contained `0xbfffffdd`, this overflow could transform it into `0xbfffff00` (note the last zeroed byte).
+Basically, stack overflows are usually caused by strings, and **strings end with a null byte at the end** in memory. This allows to try to reduce the place pointed by an existing pointer already existing on the stack. So if the stack contained `0xbfffffdd`, this overflow could transform it into `0xbfffff00` (note the last zeroed byte).
 
 If that address points to our shellcode in the stack, it's possible to make the flow reach that address by **adding addresses to the `ret` instruction** util this one is reached.
 

src/binary-exploitation/rop-return-oriented-programing/README.md

@@ -287,6 +287,21 @@ G3:
     ret
 ```
 
+## Shellcode via /proc/self/mem (Embedded Linux)
+
+If you already have a ROP chain but **no RWX mappings**, an alternative is to **write shellcode into the current process using** `/proc/self/mem` and then jump to it. This is common on embedded Linux targets where `/proc/self/mem` can ignore write protections on executable segments in default configurations.
+
+Typical chain idea:
+
+```c
+fd = open("/proc/self/mem", O_RDWR);
+lseek(fd, target_addr, SEEK_SET);   // e.g., a known RX mapping or code cave
+write(fd, shellcode, shellcode_len);
+((void(*)())target_addr)();         // ARM Thumb: jump to target_addr | 1
+```
+
+If preserving `fd` is hard, calling `open()` multiple times can make it feasible to **guess the descriptor** used for `/proc/self/mem`. On ARM Thumb targets, remember to **set the low bit** when branching (`addr | 1`).
+
 
 ## Protections Against ROP and JOP
 
@@ -316,7 +331,7 @@ rop-syscall-execv/
 
 
 {{#ref}}
-../stack-overflow/stack-pivoting-ebp2ret-ebp-chaining.md
+../stack-overflow/stack-pivoting.md
 {{#endref}}
 
 ## Other Examples & References
@@ -328,6 +343,10 @@ rop-syscall-execv/
   - arm64, no ASLR, ROP gadget to make stack executable and jump to shellcode in stack
 - [https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-4.html](https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-4.html)
 
-{{#include ../../banners/hacktricks-training.md}}
+## References
 
+- [Now You See mi: Now You're Pwned](https://labs.taszk.io/articles/post/nowyouseemi/)
+- [TaszkSecLabs/xiaomi-c400-pwn](https://github.com/TaszkSecLabs/xiaomi-c400-pwn)
+
+{{#include ../../banners/hacktricks-training.md}}
 

src/binary-exploitation/rop-return-oriented-programing/ret2lib/README.md

@@ -136,7 +136,7 @@ Also in ARM64 an instruction does what the instruction does (it's not possible t
 Check the example from:
 
 {{#ref}}
-ret2lib-+-printf-leak-arm64.md
+ret2lib-printf-leak-arm64.md
 {{#endref}}
 
 ## Ret-into-printf (or puts)

…g/ret2lib/ret2lib-+-printf-leak-arm64.md …ing/ret2lib/ret2lib-printf-leak-arm64.mdsrc/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md renamed to src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-printf-leak-arm64.md src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-+-printf-leak-arm64.md renamed to src/binary-exploitation/rop-return-oriented-programing/ret2lib/ret2lib-printf-leak-arm64.md

@@ -1,4 +1,4 @@
-# Ret2lib + Printf leak - arm64
+# Ret2lib + Printf leak - ARM64
 
 {{#include ../../../banners/hacktricks-training.md}}