Skip to content

Instantly share code, notes, and snippets.

View lokori's full-sized avatar

Antti Virtanen lokori

View GitHub Profile
@lokori
lokori / run-with-db.py
Created May 11, 2017 10:10
run to the db hills
# Run something in a db transaction, handle commit etc.
# f is a function which takes db cursor as a parameter for callback
def run_with_db(f):
connection = None
try:
connection = psycopg2.connect(__get_connection_string(config))
cursor = connection.cursor()
rv = f(cursor) # run something in db transaction
cursor.close()
@lokori
lokori / awsenv.sh
Last active November 25, 2017 20:51 — forked from woowa-hsw0/assume_role.sh
Start AWS CLI Session with MFA Enabled (+Yubikey)
#!/bin/bash
# Original: https://gist.github.com/woowa-hsw0/caa3340e2a7b390dbde81894f73e379d
set -eu
umask 0022
TMPDIR=$(mktemp -d awsenv)
echo "TEMPDIR $TMPDIR"
@lokori
lokori / validate-postgresql-triggers.clj
Created September 13, 2017 11:24
Validate PostgreSQL triggers, Clojure example
(ns postgresql-util
"Common db validations"
(:require [korma.core :as sql]))
(defn validate-triggers
"Checks that all tables in the database, except for Flyway's schema table, have triggers enabled."
[]
(let [flyway-table "schema_version"
invalid-tables (sql/exec-raw
(str "select table_name from information_schema.tables"
@lokori
lokori / zap_cli_scan.sh
Created October 31, 2017 12:14 — forked from ian-bartholomew/zap_cli_scan.sh
script to run owasp zap cli
#!/bin/sh
DOCKER=`which docker`
IMAGE='owasp/zap2docker-weekly'
URL='https://www.example.com'
ZAP_API_PORT='8090'
# Start our container
CONTAINER_ID=`$DOCKER run -d \
-p $ZAP_API_PORT:$ZAP_API_PORT \
@lokori
lokori / zap_cli_scan.sh
Created October 31, 2017 12:14 — forked from ian-bartholomew/zap_cli_scan.sh
script to run owasp zap cli
#!/bin/sh
DOCKER=`which docker`
IMAGE='owasp/zap2docker-weekly'
URL='https://www.example.com'
ZAP_API_PORT='8090'
# Start our container
CONTAINER_ID=`$DOCKER run -d \
-p $ZAP_API_PORT:$ZAP_API_PORT \
@lokori
lokori / xml-attacks.md
Created December 11, 2017 20:46 — forked from mgeeky/xml-attacks.md
XML Vulnerabilities and Attacks cheatsheet

XML Vulnerabilities

XML processing modules may be not secure against maliciously constructed data. An attacker could abuse XML features to carry out denial of service attacks, access logical files, generate network connections to other machines, or circumvent firewalls.

The penetration tester running XML tests against application will have to determine which XML parser is in use, and then to what kinds of below listed attacks that parser will be vulnerable.


import javax.net.ssl.*;
import java.security.GeneralSecurityException;
/**
* Vain kehityskäyttöön. Mahdollistaa https://localhost yhteydet ohittamalla Javan SSL turvamekanismit.
* <p>
* <ul>
* <li>http://stackoverflow.com/questions/2893819/telling-java-to-accept-self-signed-ssl-certificate</li>
* <li>http://stackoverflow.com/questions/859111/how-do-i-accept-a-self-signed-certificate-with-a-java-httpsurlconnection</li>
* <li>http://stackoverflow.com/questions/2290570/pkix-path-building-failed-while-making-ssl-connection</li>
<!DOCTYPE html>
<html>
<head>
<title>Copy-Paste from Website to Terminal</title>
</head>
<style>
.codeblock {
background-color: lightyellow;
border: 1px dotted blue;
margin-left: 50px;
@lokori
lokori / writeup-for-reaktor-CTF
Created January 14, 2018 12:06
Reaktor Java app challenge from Disobey 2018 CTF
Reaktor's Java application CTF challenge from Disobey 2018
It seems I was not the only one struggling with the Java application challenge. There was
JAR file and that's how it began.
After decompiling the JAR the main class contained code which didn't do anything. It looks like this:
String encryptedResult = "[3, 63, -54, -8, -45, -89, -91, 40, -111, -77, -76, -49, 119, 8, -46, 9, -70, 99, -12, 3, 124, 65, -66, 104, -18, 4, 64, 87, 6, -72, 68, 121, -32, -52, -104, 25, -54, 71, -84, -128, -35, -115, -74, -26, -30, -127, -96, -42]";
String result = (String) null;
String url = (String) null;
@lokori
lokori / tirsk-spoofing.php
Created February 27, 2018 12:35
harmless example for dns spoofing
<?php
/*
This file can be useful in conjunction with DNSSpoof
*/
?>
<html>
<body>
<audio class="my_audio" preload="none" id = "saundi">