aolle

The following describes a technique to achieve HTTP request smuggling against infrastructure behind a HAProxy server when using specific configuration around backend connection reuse. This was tested against HAProxy versions 1.7.9, 1.7.11, 1.8.19, 1.8.21, 1.9.10, and 2.0.5. Of all these tested versions, only 2.0.5 was not vulnerable out of the box, although it is when using the no option http-use-htx configuration, which reverts back to the legacy HTTP decoder. 2.1 removed the legacy decoder so it is not affected.

To actually exploit HTTP smuggling using the issue described in this writeup, the backend server(s) behind HAProxy would also have to be vulnerable in the sense they too would need to suffer from a bug, but one which parses and accepts a poorly formed Transfer-Encoding header (almost certainly violating RFC7230), and allows HTTP keep-alive.

The HAProxy bug - sending both Transfer-Encoding and Content-Length

This is how HAProxy handles a request when Transfer-Encoding and Content-Length is p

aolle

# -------------------------------------------------------------------------
#  Nimbus note HTML export to markdown converter
#  Extract all zip files containing 'note.html' and convert to markdown
#    
# Setup:
#  1) install python 3 for your OS
#  2) install pandoc https://github.com/jgm/pandoc/releases/tag/2.11.4
#     on Windows, the .msi will automatically add pandoc to your $PATH
#     otherwise add it to your $PATH.
#  3) save this script in the directory where your HTML exports were 

aolle

  1   b   java.lang.String::charAt (33 bytes)
  2   b   java.lang.Math::max (11 bytes)
  3   b   java.util.jar.Manifest$FastInputStream::readLine (167 bytes)
  4   b   sun.nio.cs.UTF_8$Decoder::decodeArrayLoop (553 bytes)
  5   b   java.util.Properties$LineReader::readLine (383 bytes)
  6   b   java.lang.String::hashCode (60 bytes)
  7   b   java.lang.String::indexOf (151 bytes)
  8   b   sun.nio.cs.ext.DoubleByteDecoder::decodeSingle (10 bytes)
  9   b   java.lang.String::lastIndexOf (156 bytes)
 10   b   java.lang.String::replace (142 bytes)

aolle

My Openshift Cheatsheet

Openshift build secrets for cloning git repos using SSH Keys

• To create ssh secret:

oc create secret generic sshsecret \
    --from-file=ssh-privatekey=$HOME/.ssh/id_rsa

aolle

GDB commands by function - simple guide
---------------------------------------
More important commands have a (*) by them.

Startup 
% gdb -help         	print startup help, show switches
*% gdb object      	normal debug 
*% gdb object core 	core debug (must specify core file)
%% gdb object pid  	attach to running process
% gdb        		use file command to load object 

aolle

die () {
    echo "${0}: ${2}" >&2
    exit ${1}
}

aolle

warn () {
    echo "$0:" "$@" >&2
}
die () {
    rc=$1
    shift
    warn "$@"
    exit $rc
}

aolle

import java.net.*;

public class Nc {
    public static void main(String[] args){
        if(args.length < 2)
            return;

        String host = args[0];
        int port = Integer.parseInt(args[1]);
        String msg = "Port " + port + " from " + host;

aolle

gem: --user-install

aolle

#!/bin/bash

docker run -d --name srv01-postfix \
-v ~/docker/postfix/conf/:/etc/postfix/ \
--net=backend \
--net-alias postfix \
--restart on-failure:5 \
custom_img/postfix \
hostname.com