Skip to content

Instantly share code, notes, and snippets.

View Splint3r7's full-sized avatar
🎯
Focusing

Hassan Khan Yusufzai Splint3r7

🎯
Focusing
32 followers · 86 following
View GitHub Profile
@NagliNagli
NagliNagli / lottie-backdoor.yaml
Created October 31, 2024 00:13
id: backdoor-lottie-detection
info:
name: detect-lottie-backdoor
author: nagli-wiz-research
severity: critical
requests:
- raw:
- |+
@0x240x23elu
0x240x23elu / Jira bug-exploit
Last active March 12, 2024 09:45
Jira Bug CVE-2019-8449,CVE-2019-8451,CVE-2019-8451,cve-2018-20824,cve-2020-14179,cve-2020-14181,CVE-2018-5230
cve-2019-8449
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
https://jira.atlassian.com/browse/JRASERVER-69796
https://victomhost/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
=====================================================================================================================================
@1mm0rt41PC
1mm0rt41PC / disable-android-ssl-pinning.js
Last active January 24, 2023 08:42 — forked from cubehouse/pinning.js
A Frida script to bypass SSL Pinning on Android and webview security. https://blog.jamie.holdings/2019/01/19/advanced-certificate-bypassing-in-android-with-frida/. An update has been done here => https://codeshare.frida.re/@akabe1/frida-multiple-unpinning/
// start with:
// frida -U -l pinning.js -f [APP_ID] --no-pause
Java.perform(function () {
console.log('')
console.log('===')
console.log('* Injecting hooks into common certificate pinning methods *')
console.log('===')
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
@pich4ya
pich4ya / root_bypass.js
Created August 5, 2019 20:14
Bypass Android Root Detection / Bypass RootBeer - August 2019
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto ([email protected]):
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
@akabe1
akabe1 / frida_multiple_unpinning.js
Last active March 4, 2025 22:23
Another Android ssl certificate pinning bypass for various methods
/* Android ssl certificate pinning bypass script for various methods
by Maurizio Siddu
Run with:
frida -U -f <APP_ID> -l frida_multiple_unpinning.js [--no-pause]
*/
setTimeout(function() {
Java.perform(function() {
console.log('');
@cubehouse
cubehouse / pinning.js
Last active February 23, 2025 17:15
A Frida script to bypass SSL Pinning on Android. https://blog.jamie.holdings/2019/01/19/advanced-certificate-bypassing-in-android-with-frida/
// start with:
// frida -U -l pinning.js -f [APP_ID] --no-pause
Java.perform(function () {
console.log('')
console.log('===')
console.log('* Injecting hooks into common certificate pinning methods *')
console.log('===')
var X509TrustManager = Java.use('javax.net.ssl.X509TrustManager');
@WPprodigy
WPprodigy / plugin.php
Last active March 10, 2022 08:17 — forked from joncave/plugin.php
An intentionally vulnerable plugin developed for WordPress plugin author education.http://make.wordpress.org/plugins/2013/04/09/intentionally-vulnerable-plugin/
<?php
/* Plugin Name: Damn Vulnerable WordPress Plugin
* Description: Intentionally vulnerable plugin for plugin author education
* Version: 0.1
* Plugin URI: http://make.wordpress.org/plugins/2013/04/09/intentionally-vulnerable-plugin/
* Author: Jon Cave
* Author URI: http://joncave.co.uk
* Text Domain: damn-vulnerable-wordpress-plugin
* License: GPLv2+
*
@yangxuan8282
yangxuan8282 / emoji-info.sh
Last active January 24, 2025 18:39
Emoji❤bash
#!/bin/bash
# run this scripts with `bash emoji-info.sh` or `./emoji-info.sh`
usage() {
cat << EOF
usage: $0 [options] <emoji>
Options:
-h Show this message
-o Octal Escape Sequence
@bueltge
bueltge / wp-plugin-security-testing-cheatsheet.md
Created August 22, 2016 12:12
WordPress Plugin Security Testing Cheat Sheet

WordPress Plugin Security Testing Cheat Sheet

This cheat sheet was compiled by Dewhurst Security to record the knowledge gained when testing WordPress plugins for security issues for our clients. The security documentation provided by WordPress and found online for plugin security is sparse, outdated or unclear. This cheat sheet is intended for Penetration Testers who audit WordPress plugins or developers who wish to audit their own WordPress plugins.

This is a living document, feedback in the form of Issues or Pull Requests is very much welcomed.

Cross-Site Scripting (XSS)

@joncave
joncave / plugin.php
Last active September 21, 2023 17:50
An intentionally vulnerable plugin developed for WordPress plugin author education. http://make.wordpress.org/plugins/2013/04/09/intentionally-vulnerable-plugin/
<?php
/* Plugin Name: Damn Vulnerable WordPress Plugin
* Description: Intentionally vulnerable plugin for plugin author education
* Version: 0.1
* Plugin URI: http://make.wordpress.org/plugins/2013/04/09/intentionally-vulnerable-plugin/
* Author: Jon Cave
* Author URI: http://joncave.co.uk
* License: GPLv2+
*
* DO NOT RUN THIS PLUGIN ON AN INTERNET ACCESSIBLE SITE