Sean Pesce SeanPesce

Drozer - Drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
- Starting a session
  - adb forward tcp:31415 tcp:31415
  - drozer console connect
  - drozer console connect --server <ip>
- List modules
  - ls
  - ls activity
- Retrieving package information
run app.package.list -f

Unicode Character Look-Alikes

Original Letter	Look-Alike(s)
a	а ạ ą ä à á ą
c	с ƈ ċ
d	ԁ ɗ
e	е ẹ ė é è
g	ġ
h	һ

OpenSSL Cheat Sheet 🔐

Install

Install the OpenSSL on Debian based systems

sudo apt-get install openssl

Google dork cheatsheet

Search filters

Filter	Description	Example
allintext	Searches for occurrences of all the keywords given.	`allintext:"keyword"`
intext	Searches for the occurrences of keywords all at once or one at a time.	`intext:"keyword"`
inurl	Searches for a URL matching one of the keywords.	`inurl:"keyword"`
allinurl	Searches for a URL matching all the keywords in the query.	`allinurl:"keyword"`
intitle	Searches for occurrences of keywords in title all or one.	`intitle:"keyword"`

https://web.archive.org/web/20220308212352/https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2016/

Windows 2012 R2 Essentials: http://download.microsoft.com/download/8/F/7/8F7024D2-AB2A-4BE2-8406-1E3AC49C5C1F/9600.16384.WINBLUE_RTM.130821-1623_X64FRE_SERVER_SOLUTION_EN-US-IRM_SSSO_X64FRE_EN-US_DV5.ISO

Windows 2012 R2: http://download.microsoft.com/download/6/2/A/62A76ABB-9990-4EFC-A4FE-C7D698DAEB96/9600.17050.WINBLUE_REFRESH.140317-1640_X64FRE_SERVER_EVAL_EN-US-IR3_SSS_X64FREE_EN-US_DV9.ISO

Windows 2016: https://software-download.microsoft.com/download/pr/Windows_Server_2016_Datacenter_EVAL_en-us_14393_refresh.ISO

Windows 2019 Essentials: https://software-download.microsoft.com/download/pr/17763.737.190906-2324.rs5_release_svc_refresh_SERVERESSENTIALS_OEM_x64FRE_en-us_1.iso

Unicode XSS via Combining Characters

Most application security practitioners are familiar with Unicode XSS, which typically arises from the Unicode character fullwidth-less-than-sign. It’s not a common vulnerability but does occasionally appear in applications that otherwise have good XSS protection. In this blog I describe another variant of Unicode XSS that I have identified, using combining characters. I’ve not observed this in the wild, so it’s primarily of theoretical concern. But the scenario is not entirely implausible and I’ve not otherwise seen this technique discussed, so I hope this is useful.

Recap of Unicode XSS

Lab: https://4t64ubva.xssy.uk/

A quick investigation of the lab shows that it is echoing the name parameter, and performing HTML escaping:

	#!/usr/bin/env python3
	from __future__ import print_function
	from tempfile import TemporaryFile
	from binascii import hexlify

	from ctypes import *

	class StructHelper(object):
	def __get_value_str(self, name, fmt='{}'):
	val = getattr(self, name)

	{
	"key_events": {
	"key_unknown": "adb shell input keyevent 0",
	"key_soft_left": "adb shell input keyevent 1",
	"key_soft_right": "adb shell input keyevent 2",
	"key_home": "adb shell input keyevent 3",
	"key_back": "adb shell input keyevent 4",
	"key_call": "adb shell input keyevent 5",
	"key_endcall": "adb shell input keyevent 6",
	"key_0": "adb shell input keyevent 7",

	inurl /bug bounty
	inurl : / security
	inurl:security.txt
	inurl:security "reward"
	inurl : /responsible disclosure
	inurl : /responsible-disclosure/ reward
	inurl : / responsible-disclosure/ swag
	inurl : / responsible-disclosure/ bounty
	inurl:'/responsible disclosure' hoodie
	responsible disclosure swag r=h:com

	# Depends on: msmtp, libsecret-tools
	#
	# Set password:
	# secret-tool store --label="msmtp password for jandrews271@gmail.com" service msmtp username jandrews271@gmail.com
	#
	# Send mail:
	# echo "Message Body" \| send-gmail myusername recipient@exmaple.com "My Subject"
	send-gmail() {
	local user="$1"
	local to="$2"