Skip to content

Instantly share code, notes, and snippets.

am force-stop com.android.settings
settings put global hidden_api_blacklist_exemptions "LClass1;->method1(
15
--runtime-args
--setuid=1000
--setgid=1000
--runtime-flags=2049
--mount-external-full
--target-sdk-version=29
--setgroups=3003
@ngregoire
ngregoire / burl
Created December 31, 2024 15:18
A simple wrapper that routes curl traffic through Burp Suite
#/usr/bin/env sh
curl --proxy http://127.0.0.1:8080/ --user-agent burl --insecure "$@"
@n1nj4sec
n1nj4sec / FreeMarker_SSTI_tricks.md
Created December 18, 2024 20:10
FreeMarker SSTI tricks

What is this cheat sheet ?

I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)

The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version. So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.

This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else

get versions

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

@julianandrews
julianandrews / send-gmail.sh
Created April 22, 2021 16:46
Simple shell script to send email using gmail
# Depends on: msmtp, libsecret-tools
#
# Set password:
# secret-tool store --label="msmtp password for [email protected]" service msmtp username [email protected]
#
# Send mail:
# echo "Message Body" | send-gmail myusername [email protected] "My Subject"
send-gmail() {
local user="$1"
local to="$2"
@ikuamike
ikuamike / GoogleDorking.md
Created February 22, 2020 20:12 — forked from sundowndev/GoogleDorking.md
Google dork cheatsheet

Google dork cheatsheet

Search filters

Filter Description Example
allintext Searches for occurrences of all the keywords given. allintext:"keyword"
intext Searches for the occurrences of keywords all at once or one at a time. intext:"keyword"
inurl Searches for a URL matching one of the keywords. inurl:"keyword"
allinurl Searches for a URL matching all the keywords in the query. allinurl:"keyword"
intitle Searches for occurrences of keywords in title all or one. intitle:"keyword"
@Hakky54
Hakky54 / openssl_commands.md
Last active May 8, 2025 12:37 — forked from p3t3r67x0/openssl_commands.md
OpenSSL Cheat Sheet

OpenSSL Cheat Sheet 🔐

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl
@StevenACoffman
StevenACoffman / Homoglyphs.md
Last active May 7, 2025 00:23
Unicode Look-alikes

Unicode Character Look-Alikes

Original Letter Look-Alike(s)
a а ạ ą ä à á ą
c с ƈ ċ
d ԁ ɗ
e е ẹ ė é è
g ġ
h һ
@castexyz
castexyz / drozer.md
Last active April 8, 2025 19:26
Drozer commands
  • Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
    • Starting a session
      • adb forward tcp:31415 tcp:31415
      • drozer console connect
      • drozer console connect --server <ip>
    • List modules
      • ls
      • ls activity
    • Retrieving package information
  • run app.package.list -f