Skip to content

Instantly share code, notes, and snippets.

View orangetw's full-sized avatar
🍊
This is orange!

Orange Tsai orangetw

🍊
This is orange!
View GitHub Profile
@orangetw
orangetw / jenkins-decrypt.groovy
Created August 4, 2017 07:31 — forked from tuxfight3r/jenkins-decrypt.groovy
Decrypting Jenkins Password
#To Decrypt Jenkins Password from credentials.xml
#<username>jenkins</username>
#<passphrase>your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J</passphrase>
#go to the jenkins url
http://jenkins-host/script
#In the console paste the script
hashed_pw='your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J'
@orangetw
orangetw / Advanced-HTTP-en.md
Created November 19, 2017 19:52 — forked from nicolas-grekas/Advanced-HTTP-en.md
Advanced handling of HTTP requests in PHP
@orangetw
orangetw / all.txt
Created September 7, 2018 14:36 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@orangetw
orangetw / introspection-query.graphql
Created September 21, 2018 03:42 — forked from craigbeck/introspection-query.graphql
Introspection query for GraphQL
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
@orangetw
orangetw / redis-lua-linux-x86-poc.py
Created February 12, 2019 15:43 — forked from c3c/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
@orangetw
orangetw / ntlmdecoder.py
Created May 21, 2021 09:20 — forked from aseering/ntlmdecoder.py
NTLM auth-string decoder
#!/usr/bin/env python
## Decodes NTLM "Authenticate" HTTP-Header blobs.
## Reads the raw blob from stdin; prints out the contained metadata.
## Supports (auto-detects) Type 1, Type 2, and Type 3 messages.
## Based on the excellent protocol description from:
## <http://davenport.sourceforge.net/ntlm.html>
## with additional detail subsequently added from the official protocol spec:
## <http://msdn.microsoft.com/en-us/library/cc236621.aspx>
##
@orangetw
orangetw / w3rmup.php
Created December 5, 2021 13:47
<?php
if (!isset($_GET['mail']))
highlight_file(__FILE__) && exit();
$mail = filter_var($_GET['mail'], FILTER_VALIDATE_EMAIL);
$addr = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP);
$country = geoip_country_code_by_name($addr);
if (!$addr || strlen($addr) == 0) die('bad addr');
if (!$mail || strlen($mail) == 0) die('bad mail');