- Use the modified Magisk module to install the certificate in both the user and the system store.
git clone https://github.com/Magisk-Modules-Repo/movecert.git
- Apply
cp
patch - Magisk-Modules-Repo/movecert#16
const fieldTypes = { | |
int8: { size: 1, read: 'readS8', write: 'writeS8', align: 1 }, | |
uint8: { size: 1, read: 'readU8', write: 'writeU8', align: 1 }, | |
int16: { size: 2, read: 'readS16', write: 'writeS16', align: 2 }, | |
uint16: { size: 2, read: 'readU16', write: 'writeU16', align: 2 }, | |
int32: { size: 4, read: 'readS32', write: 'writeS32', align: 4 }, | |
uint32: { size: 4, read: 'readU32', write: 'writeU32', align: 4 }, | |
int64: { size: 8, read: 'readS64', write: 'writeS64', align: 8 }, | |
uint64: { size: 8, read: 'readU64', write: 'writeU64', align: 8 }, | |
float: { size: 4, read: 'readFloat', write: 'writeFloat', align: 4 }, |
import datetime | |
import json | |
from impacket.structure import Structure | |
from enum import Flag, Enum | |
class NegotiateFlags(Flag): | |
NTLMSSP_NEGOTIATE_56 = 0x80000000 | |
NTLMSSP_NEGOTIATE_KEY_EXCH = 0x40000000 | |
NTLMSSP_NEGOTIATE_128 = 0x20000000 |
from mitmproxy import http, ctx | |
from impacket.ntlm import getNTLMSSPType1, getNTLMSSPType3 | |
import requests | |
import logging | |
import base64 | |
username = "username" | |
password = "password" | |
domain = '' |
from impacket.ntlm import getNTLMSSPType1, getNTLMSSPType3 | |
import requests | |
import base64 | |
# Replace these values with your IIS server details | |
target_url = "http://localhost" | |
username = "username" | |
password = "password" | |
domain = '' |
# Requires system privileges! | |
# Thank you: https://github.com/sandytsang/MSIntune/blob/master/Intune-PowerShell/AppLocker/Delete-AppLockerEXE.ps1 | |
$path = "<PATH TO APPLOCKER XML'S>" | |
$xmls = (ls -filter '*.xml' $path |% {$_.FullName}) | |
$Appx, $Dll, $Exe, $Msi, $Script = $null | |
$xmls |% { |
metadata: | |
language: v1-beta | |
name: "Potential Client-Side Desync on erroneous path" | |
description: "Tests for Client-Side Desync vulnerabilities on specifically erroneous paths" | |
author: "Frank Spierings" | |
run for each: | |
potential_path = | |
"/..%2f", | |
"/%2e%2e", |
git clone https://github.com/Magisk-Modules-Repo/movecert.git
cp
patch# Thanks to h2 for the example code and thanks to Portswigger for the awesome free labs! | |
# - https://python-hyper.org/projects/h2/en/stable/plain-sockets-example.html | |
# - https://portswigger.net/web-security/request-smuggling/advanced/lab-request-smuggling-h2-request-splitting-via-crlf-injection | |
# | |
import socket | |
import ssl | |
import h2.connection | |
import h2.events |
/* | |
- Compile: docker run --rm -it -v /tmp/data:/tmp/data mono csc /tmp/data/dinvoke-shellcode.cs -out:/tmp/data/dinvoke-shellcode.exe /platform:x64 /unsafe | |
- Reference (Thanks!) : https://jhalon.github.io/utilizing-syscalls-in-csharp-1/ | |
*/ | |
using System; | |
using System.Runtime.InteropServices; | |
using System.Diagnostics; | |
using System.ComponentModel; | |
using Microsoft.Win32; |
function Invoke-SQLCmd { | |
param( | |
[Parameter(Mandatory=$True)] | |
[string] $Server, | |
[Parameter(Mandatory=$True)] | |
[string] $Database, | |
[Parameter(Mandatory=$True)] | |
[string] $Query | |
); |