Skip to content

Instantly share code, notes, and snippets.

View Xib3rR4dAr's full-sized avatar

Xib3rR4dAr

21 followers · 9 following
View GitHub Profile
@Xib3rR4dAr
Xib3rR4dAr / phash_solution.md
Last active July 3, 2023 10:55
Solution of challenge "phash" from AUPCTF

phash

Challenge Name: phash
Challenge Text: login source
Initial Hint: No Hint First Hint (when no one solved): Marvel characters (lowercased) Second Hint: Who was the character that fans speculated would appear in a "Marvel Show" but ultimately did not make an appearance? (Third Hint was provided after first 🩸 was obtained by me)

Provided:
image

@Xib3rR4dAr
Xib3rR4dAr / conundrum_solution.md
Created June 26, 2023 19:38
Solution of challenge "conundrum" from AUPCTF
@Xib3rR4dAr
Xib3rR4dAr / wp_xmlrpc_reqs.md
Created November 24, 2022 10:40
Wordpress XMLRPC 
POST /xmlrpc.php HTTP/1.1
Host: example.com
Content-Length: 91
Content-Type: application/x-www-form-urlencoded

<methodCall>
<methodName>system.listMethods</methodName>
@Xib3rR4dAr
Xib3rR4dAr / burp-suite-turbo-intruder-race.py
Created February 23, 2022 06:02
Racing script for Turbo Intruder extension in Burp Suite.
# From https://github.com/PortSwigger/turbo-intruder/blob/master/resources/examples/race.py
def queueRequests(target, wordlists):
engine = RequestEngine(endpoint=target.endpoint,
concurrentConnections=30,
requestsPerConnection=100,
pipeline=False
)
# the 'gate' argument blocks the final byte of each request until openGate is invoked
for i in range(30):
@Xib3rR4dAr
Xib3rR4dAr / WP_plugin_wp-statistics_Unauthenticated-Stored-XSS_PoC.md
Last active March 7, 2022 14:16
WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in `ip`

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting

Tested onWordpress 5.9
Exploit TitleWordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting
Exploit AuthorMuhammad Zeeshan (Xib3rR4dAr)
DateFebruary 13, 2022
Plugin LinkWP-Statistics
Plugin Active Installations600,000+
Version13.1.5 (Latest)
@Xib3rR4dAr
Xib3rR4dAr / WP_plugin_wp-statistics_Unauthenticated-Stored-XSS_PoC.md
Last active March 7, 2022 14:17
WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in platform

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting

Tested onWordpress 5.9
Exploit TitleWordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting
Exploit AuthorMuhammad Zeeshan (Xib3rR4dAr)
DateFebruary 13, 2022
Plugin LinkWP-Statistics
Plugin Active Installations600,000+
Version13.1.5 (Latest)
@Xib3rR4dAr
Xib3rR4dAr / WP_plugin_wp-statistics_Unauthenticated-Stored-XSS_PoC.md
Last active March 7, 2022 14:17
WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting in browser

WordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting

Tested onWordpress 5.9
Exploit TitleWordPress Plugin WP Statistics >= 13.1.5 - Unauthenticated Stored Cross-Site Scripting
Exploit AuthorMuhammad Zeeshan (Xib3rR4dAr)
DateFebruary 13, 2022
Plugin LinkWP-Statistics
Plugin Active Installations600,000+
Version13.1.5 (Latest)
@Xib3rR4dAr
Xib3rR4dAr / WP_plugin_wp-statistics__Multiple-Unauthenticated-SQL-Injections_PoC.md
Last active July 20, 2022 01:58
WordPress Plugin WP Statistics <= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities

WordPress Plugin WP Statistics <= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities

Tested onWordpress 5.9
Exploit TitleWordPress Plugin WP Statistics <= 13.1.5 - Multiple Unauthenticated SQL Injection vulnerabilities
Exploit AuthorMuhammad Zeeshan (Xib3rR4dAr)
DateFebruary 13, 2022
Plugin LinkWP-Statistics
Plugin Active Installations600,000+
Version13.1.5 (Latest)
@Xib3rR4dAr
Xib3rR4dAr / xss.php
Created January 27, 2022 10:33
<?php
// For testing XSS is various status codes
http_response_code($_GET['rCode']); // User controlled response code
echo $_GET['payload']; // User input reflected as it is
?>
@Xib3rR4dAr
Xib3rR4dAr / WP_plugin_Embed-Swagger_XSS_PoC.md
Last active February 23, 2022 09:34

WordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting

Vulnerable File:Line/wp-content/plugins/embed-swagger/swagger-iframe.php:59
Exploit TitleWordPress Plugin Embed Swagger 1.0.0 - Reflected Cross-Site Scripting
Exploit AuthorMuhammad Zeeshan (Xib3rR4dAr)
DateJanuary 21, 2022
Plugin LinkEmbed Swagger
Version1.0.0 (Latest)
Tested onWordpress 5.8.3