This is a living document. Everything in this document is made in good faith of being accurate, but like I just said; we don't yet know everything about what's going on.
On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that
| <?php | |
| /** | |
| * This file contains functions to retrieve system information and display it in a single file server dashboard. | |
| * The functions include generating a safe ID, parsing lines, getting CPU info, load average, basic server info, | |
| * CPU usage, memory usage, disk usage, and disk space. | |
| * | |
| * @author Zxce3 | |
| * @version 1.1 | |
| */ |
Yesterday I posted a little quiz on Twitter about HTML parsing.
The question was: what element is going to be the parent of the final <s> in the following snippet of HTML:
<div><table><svg><foreignObject><select><table><s>The final answers are:
| <?php | |
| //php gd-gif.php image.gif gd-image.gif | |
| $gif = imagecreatefromgif($argv[1]); | |
| imagegif($gif, $argv[2]); | |
| imagedestroy($gif); | |
| ?> |
| #!/bin/bash | |
| url='rawsec.ml' | |
| domains=$(curl $url -s | grep -E 'https?://[^"]*' | cut -d '/' -f 3 | cut -d '"' -f 1 | uniq) | |
| filename='/tmp/temporary_ips.txt' | |
| for domain in $domains | |
| do |
| / | |
| $$$lang-translate.service.js.aspx | |
| $367-Million-Merger-Blocked.html | |
| $defaultnav | |
| ${idfwbonavigation}.xml | |
| $_news.php | |
| $search2 | |
| £º | |
| .0 | |
| /0 |
image_extract.py performs character extraction on targetted against the HackerOne H1-702 CTF announcement imagedecrypt_sqli.py performs blind sqli data extraction with encrypted payloads targetting against the FliteThermostat APItiming_attack.py performs an HTTP piplining based timing against the FliteThermostat Backendwordlist_generator.py generates wordlists from a give corpus or set of corpuseshttplib.py performs efficient asynchronous HTTP requests against the FliteThermostat Backend
| #include <time.h> // Robert Nystrom | |
| #include <stdio.h> // @munificentbob | |
| #include <stdlib.h> // for Ginny | |
| #define r return // 2008-2019 | |
| #define l(a, b, c, d) for (i y=a;y\ | |
| <b; y++) for (int x = c; x < d; x++) | |
| typedef int i;const i H=40;const i W | |
| =80;i m[40][80];i g(i x){r rand()%x; | |
| }void cave(i s){i w=g(10)+5;i h=g(6) | |
| +3;i t=g(W-w-2)+1;i u=g(H-h-2)+1;l(u |
| #!/usr/bin/python | |
| # Author: Adam Jordan | |
| # Date: 2019-02-15 | |
| # Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc | |
| # PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative) | |
| import argparse | |
| import jenkins |
| #!/bin/bash | |
| # If you find a site with /_wpeprivate/config.json file exposed, run this and get all kinds of fun goodies. | |
| # If it "no worked" (Technical Term) then you probably need to install jq! | |
| TARGET=$1 | |
| TARGETDOMAIN=$(echo $TARGET | cut -d/ -f3) | |
| # Pretty Colors | |
| RESET='\033[00m' | |
| GREEN='\033[01;32m' |