Skip to content

Instantly share code, notes, and snippets.

View yeshuibo's full-sized avatar

yeshuibo

111 followers · 1.2k following
View GitHub Profile
@yeshuibo
yeshuibo / A.java
Created December 18, 2024 01:09 — forked from win3zz/A.java
Unicode escapes in Java are preprocessed before lexical analysis, they can break comments and inject code!
/**
* Description:
* You can decode the hidden message by running the program.
* Compile and execute: user@host:~$ javac A.java && java A
*
* @author Bipin Jitiya
* @since 2024-12-17
*/
class A {
public static void main(String[] args){
@yeshuibo
yeshuibo / Get-InjectedThread.ps1
Created December 18, 2024 07:44 — forked from jaredcatkinson/Get-InjectedThread.ps1
Code from "Taking Hunting to the Next Level: Hunting in Memory" presentation at SANS Threat Hunting Summit 2017 by Jared Atkinson and Joe Desimone
function Get-InjectedThread
{
<#
.SYNOPSIS
Looks for threads that were created as a result of code injection.
.DESCRIPTION
@yeshuibo
yeshuibo / FreeMarker_SSTI_tricks.md
Created December 19, 2024 01:27 — forked from n1nj4sec/FreeMarker_SSTI_tricks.md
FreeMarker SSTI tricks

What is this cheat sheet ?

I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)

The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version. So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.

This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else

get versions




  


  




    


          
    

      

        
        

          

              @yeshuibo
          

          

            
                yeshuibo
                / autel_decrypt.py
            
            

              Created
              December 24, 2024 08:17
                — forked from sector7-nl/autel_decrypt.py
            

          

        

      

        

  

    
    


        



  


  

        

          
          import sys
        

        

          
          

        

        

          
          # The a and b values for each index in the block.
        

        

          
          keys = {0: (54, 147), 1: (96, 129), 2: (59, 193), 4: (45, 130), 5: (96, 144), 6: (27, 129), 8: (44, 180), 9: (118, 141), 10: (115, 129), 12: (13, 164), 13: (27, 133), 14: (20, 192), 16: (28, 166), 17: (17, 133), 18: (19, 193), 20: (20, 161), 22: (14, 193), 23: (12, 132), 24: (18, 161), 25: (17, 140), 26: (29, 192), 28: (115, 178), 29: (28, 132), 31: (12, 132), 32: (31, 165), 33: (20, 136), 34: (27, 193), 36: (96, 164), 37: (18, 133), 39: (23, 132), 40: (13, 165), 41: (13, 148), 42: (23, 193), 43: (19, 132), 44: (27, 178), 45: (83, 137), 48: (18, 166), 49: (96, 148), 50: (13, 193), 52: (96, 166), 53: (20, 129), 54: (20, 193), 55: (27, 132), 56: (9, 160), 57: (96, 148), 58: (13, 192), 60: (96, 180), 62: (31, 193), 64: (7, 166), 66: (20, 192), 67: (27, 132), 68: (28, 160), 69: (17, 149), 70: (19, 193), 71: (96, 132), 72: (76, 164), 74: (80, 192), 75: (78, 132), 76: (96, 160), 77: (27, 144), 78: (24, 193), 80: (96, 178), 81: (17, 141), 82: (12, 193), 8