bump

Exploits/Databases/Websocket SQLi.md

@@ -0,0 +1,13 @@
+# Websocket SQLi
+
+* SQLmap is not able to send websocket requests directly because of the id added to the request. Therefore you need a local webserver as a middleware which translates requests to the target. Put in the webserver URL, and the correct data structure into the script and run it.o
+
+```sh
+sqlmap -u "http://127.0.0.1:8081/?id=62009" -p "id" --dbs
+```
+
+## References
+
+* [rayhan0x01's git repo](https://github.com/rayhan0x01/nodejs-websocket-sqli)
+* [rayhan0x01's blog entry](https://rayhan0x01.github.io/ctf/2021/04/02/blind-sqli-over-websocket-automation.html)
+

Exploits/Ruby/yaml_load.md

@@ -0,0 +1,4 @@
+# YAML.load deserialization
+
+RCE is is possible via YAML file deserialization through `yaml.load()`.  
+* [staadraad describes how and provides a payload](https://staaldraad.github.io/post/2021-01-09-universal-rce-ruby-yaml-load-updated/)