Skip to content

Instantly share code, notes, and snippets.

View HacKanCuBa's full-sized avatar
⛷️
Also in gitlab.com/hackancuba

Iván || HacKan HacKanCuBa

⛷️
Also in gitlab.com/hackancuba
60 followers · 50 following
View GitHub Profile
@HacKanCuBa
HacKanCuBa / gunicorn.py
Last active March 17, 2024 07:01 — forked from kodekracker/gunicorn.py
A config file of gunicorn(http://gunicorn.org/) contains fundamental configuration.
"""Gunicorn config file.
by HacKan (https://hackan.net)
Find it at: https://gist.github.com/HacKanCuBa/275bfca09d614ee9370727f5f40dab9e
Based on: https://gist.github.com/KodeKracker/6bc6a3a35dcfbc36e2b7
Changelog
=========
See revisions to access other versions of this file.
@HacKanCuBa
HacKanCuBa / cypher.py
Created September 26, 2019 00:56
Python3 OTPCypher (toy module)
from typing import Tuple
from typing import Union
TParam = Union[bytes, str, bytearray]
class OTPCypher:
"""One-time pad cypher (use with extreme care!).
There are several restrictions for this to work: both parameters must have
@HacKanCuBa
HacKanCuBa / crack_nid.py
Created July 16, 2019 17:07
Bruteforce a numeric ID from a SHA256 hash using every CPU core available
#!/usr/bin/env python3
# ***************************************************************************
# Bruteforce a numeric ID from a SHA256 hash.
# Copyright (C) <2019> <Ivan Ariel Barrera Oro>
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
@HacKanCuBa
HacKanCuBa / replacing_openpgp_2019.md
Last active September 14, 2023 14:25
Replacing OpenPGP in 2019

Replacing OpenPGP in 2019

Update for 2023: this is still a thing!

It's 2019, and OpenPGP has to die already (for very many reasons I won't list, but see 1, 2 and 3). At least for most uses.
I'll try to list here some replacements categorized by usage (also see 5), because there's no one single-do-all app, and there shouldn't be!

All of this resurfaced because of a vuln exploited recently on SKS keyservers (that has NOTHING to do with OpenPGP nor GnuPG but yes, they're related to the environment) (see 4).

Note: only FOSS software listed (although some server-side implementations could be closed, where applicable).

@HacKanCuBa
HacKanCuBa / settings.py
Last active March 20, 2020 00:29
Django 2 + REST Framework 3 generic settings: it uses env vars with mostly safe defaults (replace PROJNAME for the name of your project; read through the settings and change what you need)
"""
Django settings for PROJNAME project.
Generated by 'django-admin startproject' using Django 2.1.5.
For more information on this file, see
https://docs.djangoproject.com/en/2.1/topics/settings/
For the full list of settings and their values, see
https://docs.djangoproject.com/en/2.1/ref/settings/
@HacKanCuBa
HacKanCuBa / cached.py
Last active February 9, 2021 16:08
Django Cached: simple cache abstract classes to create and use cached objects.
"""Handle object caching and data retrieval from API endpoints.
These abstract classes makes it easy to use Django's cache with a custom
object, and are very flexible. It support slots natively, and logs cache
hits/misses.
:Requirements:
- Django 2.0+
- Python 3.6+
@HacKanCuBa
HacKanCuBa / connectors.py
Last active January 2, 2020 00:03
"""Wrappers around Python 3 Requests library.
This lib will log errors, warnings and request duration, not raising any
exception: in such error cases, an empty dict is returned. To identify, if
necessary, that there where errors, a with_error flag must be set in the
arguments so that the methods return a tuple in the form of
(response_data: any, error: bool).
If there's any response expected from the endpoint, it will be returned
JSON-converted as-is, which means it's either valid JSON (string, number,
@HacKanCuBa
HacKanCuBa / phpinfo.php
Last active September 14, 2018 22:10
Safe phpinfo file
<?php
// Safe PHPInfo file by HacKan
// You should prefer to delete it after using it, but we know how that can go... at least, be safe
// create passwd with:
// php -r '$pass = bin2hex(random_bytes(10)); echo "Plain: ", $pass, PHP_EOL, "Encrypted: ", password_hash($pass, PASSWORD_DEFAULT), PHP_EOL;'
define('PASSWD','');
$p = filter_input(INPUT_GET, 'p', FILTER_SANITIZE_STRING);
if (!empty(PASSWD) && !empty($p) && password_verify($p, PASSWD)) {
@HacKanCuBa
HacKanCuBa / exfiltrate.html
Created May 15, 2018 17:36
PoC to exfiltrate signal-desktop messages exploiting CVE-2018-11101 or CVE-2018-10994
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8"/>
<!--
DO NOT USE THIS IN REAL LIFE, IT'S JUST A POC! Be nice, don't hack activists :)
by HacKan: https://ivan.barreraoro.com.ar/signal-desktop-html-tag-injection-variant-2
under GNU GPL v3.0+
-->
</head>
@HacKanCuBa
HacKanCuBa / properly-signing-gh-release-packages.md
Last active September 21, 2020 16:17
Properly signing Github releases

Github automatically generates .tar.gz and .zip packages of the repository when a release or pre-release is created under releases. However, these packages are not signed! The tag might be signed but if a user downloads one of those, there's no true certification of its content, rather than pure trust on Github.

However, you can edit a release after it's generated to upload files, and this is how you upload signature files for those packages (as I usually do). But, to sign them, you need to first download them and, of course, verify them! Otherwise, you'll be signing your trust to Github without checking!

I will be using a tool I created to do recursive blake2 checksums called b2rsum. You can use any other tool that does the same if you want.

To properly verify those packages, do the following:

  1. Create a temporal directory to store all files, lets call it /tmp/github.
  2. Copy your source code to a subdirectory there: cp -r ~/code/myproject /tmp/github/orig.