Skip to content

Instantly share code, notes, and snippets.

View AA-2020743's full-sized avatar

AA-2020743

3 followers · 10 following
View GitHub Profile
@stefanocoding
stefanocoding / csrf_jwt_redirect_leak.md
Created May 15, 2019 23:46

You do not need to run 80 reconnaissance tools to get access to user accounts

An open redirect was almost everything I needed in two different bug bounty programs to get access to user accounts. In one of the cases a JWT was leaked, and in the other the CSRF token was leaked. The issue was mostly the same in both cases: not validating, or URI encoding, user input in the client-side, and sending sensitive information to my server using an open redirect.

CSRF token bug

  1. There is an open redirect on https://example.com/redirect?url=https://myserver.com/attack.php
  2. User loads https://example.com/?code=VALUE
  3. Javascript code in https://example.com/ makes a GET request to https://example.com/verify/VALUE with a header x-csrf-token set to the CSRF token for the session of the user 
    GET /verify/VALUE HTTP/1.1
Host: example.com
@Arno0x
Arno0x / TestAssembly.cs
Last active July 7, 2025 04:55
This code shows how to load a CLR in an unmanaged process, then load an assembly from memory (not from a file) and execute a method
/*
================================ Compile as a .Net DLL ==============================
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /target:library /out:TestAssembly.dll TestAssembly.cs
*/
using System.Windows.Forms;
namespace TestNamespace
@Arno0x
Arno0x / shellcode.xlsm
Last active May 13, 2023 23:22
XLM (Excel 4.0 macro) to execute a shellcode into Excel (32 bits) - French Macro code
BEWARE: THIS WILL ONLY WORK IN A FRENCH VERSION OF MS-OFFICE/EXCEL
1. Open Excel
2. Click on the active tab
3. Select "Insérer"
4. Click on "Macro MS Excel 4.0".
5. This will create a new worksheet called "Macro1"
================================================================================
In the Macro1 worksheet, paste the following block in cells in column A, starting in cell A1:
@ykoster
ykoster / Invoke-MTPuTTYConfigDump.psm1
Last active February 27, 2024 13:50
Invoke-MTPuTTYConfigDump - read an MTPuTTY configuration file, decrypt the passwords and dump the result
<#
.Synopsis
Decrypt an MTPuTTY configuration file
.Description
Read an MTPuTTY configuration file, decrypt the passwords and dump the result
.Parameter ConfigFile
Path to the MTPuTTY configuration file
@momenbasel
momenbasel / headersPentest
Last active July 1, 2023 14:28
HTTP headers is the language that all web servers speaks, it can be golden gem for security researcher.
X-Forwarded-Host
X-Forwarded-Port
X-Forwarded-Scheme
Origin: null
Origin: [siteDomain].attacker.com
X-Frame-Options: Allow
X-Forwarded-For: 127.0.0.1
X-Client-IP: 127.0.0.1
Client-IP: 127.0.0.1
---For injecting BXSS(blind XSS) || SQLI payloads---
@MarkBaggett
MarkBaggett / twit_interests.py
Last active January 18, 2020 18:50
Determine a persons interests based on who they follow
#!/usr/bin/env python
"""Twit Interest will infer a persons interests based upon the most common words in the descriptions of those they follow"""
from twython import Twython
from collections import Counter
import sys
#Twython isn't a standard module. "python -m pip install twython" to install it. If no pip run this https://bootstrap.pypa.io/get-pip.py
twit = Twython(<your twitter APP KEY HERE> , < Your twitter Secret key here >)
#Need a key? Go https://apps.twitter.com/app/new Create app. Put anything you want for the values in the app.
@knavesec
knavesec / autoProc.py
Created August 23, 2019 16:29
Automatic lsass dumper
#!/usr/bin/env python
# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved.
#
# This software is provided under under a slightly modified version
# of the Apache Software License. See the accompanying LICENSE file
# for more information.
#
# A similar approach to smbexec but executing commands through WMI.
# Main advantage here is it runs under the user (has to be Admin)
# account, not SYSTEM, plus, it doesn't generate noisy messages
@mattifestation
mattifestation / HowToDetectTechniqueX_Demos.ps1
Created September 6, 2019 22:03
Demo code from my DerbyCon talk: "How do I detect technique X in Windows?" Applied Methodology to Definitively Answer this Question
#region Attack validations
wmic /node:169.254.37.139 /user:Administrator /password:badpassword process call create notepad.exe
Invoke-WmiMethod -ComputerName 169.254.37.139 -Credential Administrator -Class Win32_Process -Name Create -ArgumentList notepad.exe
$CimSession = New-CimSession -ComputerName 169.254.37.139 -Credential Administrator
Invoke-CimMethod -CimSession $CimSession -ClassName Win32_Process -MethodName Create -Arguments @{ CommandLine = 'notepad.exe' }
$CimSession | Remove-CimSession
winrm --% invoke Create wmicimv2/Win32_Process @{CommandLine="notepad.exe"} -remote:169.254.37.139 -username:Administrator -password:badpassword
@ur0
ur0 / README.md
Last active June 13, 2024 00:24
SockPuppet 3

SockPuppet 3

This is a kernel exploit targeting iOS 12.0-12.2 and 12.4. It exploits a dangling kernel pointer to craft a fake task port corresponding to the kernel task and gets a send right to it.

This code is not readily compilable — some common sense is a prerequisite. If you do get it going though, it is extremely reliable on any device with more than a gigabyte of RAM. Interested readers may want to investigate how reallocations can be prevented -- this might improve reliability even more.

License

@tomnomnom
tomnomnom / passwords.txt
Last active May 23, 2025 16:15
MySQL Docker Passwords pulled from Dockerfile and docker-compose.yml files
0Z0mQ130F65E8wD
1QAZXsw2
3dodPaTXF5
5E84F90
5aQNxsB58752fNl
5ciuk1sy
5zkfAr9Y8k6qosP
8PuNNgp9wm2w
9Lug*96q
14mR00t