Skip to content

Instantly share code, notes, and snippets.

View j4k0m's full-sized avatar
🌶️
Breaking machines

Jakom j4k0m

🌶️
Breaking machines
  • Morocco
View GitHub Profile
@postmodern
postmodern / rails_rce.rb
Last active October 18, 2024 00:07
Proof-of-Concept exploit for Rails Remote Code Execution (CVE-2013-0156)
#!/usr/bin/env ruby
#
# Proof-of-Concept exploit for Rails Remote Code Execution (CVE-2013-0156)
#
# ## Advisory
#
# https://groups.google.com/forum/#!topic/rubyonrails-security/61bkgvnSGTQ/discussion
#
# ## Caveats
#
@mccabe615
mccabe615 / phpdangerousfuncs.md
Last active November 7, 2024 05:44
Dangerous PHP Functions

Command Execution

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec - Executes a program
# Exploit Title: Jenzabar 9.2.x through 9.2.2 allows /ics?tool=search&query= XSS.
# Google Dork: Jenzabar — v9.2.0 / v9.2.1 / v9.2.2
# Date: 2021–02–05
# Exploit Author: y0ung_dst
# Vendor Homepage: https://jenzabar.com
# Version: Jenzabar — v9.2.0-v9.2.1-v9.2.2 (and maybe other versions)
# Tested on: Windows 10
# CVE : CVE-2021-26723

I noticed that color Parameter can contain any chars which this is useful to get out of the scope of variable color=" , but it's limited it reflect only 3 chars

And because the value of nickname parameter is being reflect after the color we can benefit from that by making anything after color as comment until we reach the value of the nickname parameter color="/*&nickname=*/

And then we can use , to add our malicious code with window.location but the application convert location word to ( ͡° ͜ʖ ͡°) , There's a way to bypass that through use escaped unicode for a specific char in location word which will be converted to the origin format by the Javascript itself ( because () %60 and some other chars are blocked so location is better choice )

Unfortunately the double quotes and single quotes and %60 are blocked by the application so we cannot use them to assign our host as a value to location but fortunately in the javascript /Anything/ is consider as "/anything/" so we assign our host to location