brandonprry

#export https_proxy=http://127.0.0.1:8081

USER=''
PASS=''
KEY="bd516a32ff7db81c4a991acfc5656da3" #not secret
TALENT="967951"
VERSION="48"


rm /tmp/fdsa

brandonprry

COOKIE='your_web_session_cookie_use_document.cookie_in_js_console'
SHOP='your_shop_id'

for i in `seq 0 39 500`; do curl --retry 5 \
    -H $'Host: www.etsy.com' -H $'Authority: www.etsy.com' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'Accept-Language: en-US,en;q=0.9' -H $'Content-Type: application/json' -H $'Referer: https://www.etsy.com/your/shops/WanderingRobotStudio/tools/listings/view:table/1492031241' -H $'Sec-Ch-Ua: \"Google Chrome\";v=\"113\", \"Chromium\";v=\"113\", \"Not-A.Brand\";v=\"24\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"macOS\"' -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.0.0 Safari/537.36' -H $'X-Detected-Locale: USD|en-US|US' -H $'X-Requested-With: XMLHttpRequest' \
    -b "$COOKIE" \
    $'https://www.etsy.com/api/v3/ajax/shop/'$SHOP'/listings/search?limit=200&offset='$i'&sort_field=ending_da

brandonprry

Turn on debugging.

Still install sshd. File transfer over adb push/pull is too slow.

#Disable Sound
$ adb shell input keyevent 164

$ adb shell svc power stayon true

$ adb tcpip 4321 #Enable adb over wifi.

brandonprry

repeat 
    tell application "System Events" to key code (random number from 0 to 44)
    delay 8
end repeat

brandonprry

     cred_collection = ::Metasploit::Framework::CredentialCollection.new(
       user_file: datastore['USER_FILE'],
       username: datastore['USERNAME'],
       blank_passwords: true
     )

brandonprry

apt-get install xvfb && Xvfb :1 -screen 0 640x480x8 && export DISPLAY=:1.0 ; xcalc

brandonprry

bperry@ubuntu:~/tmp$ DYNINSTAPI_RT_LIB=./dyninst-9.2.0/build/dyninstAPI_RT/libdyninstAPI_RT.so LD_LIBRARY_PATH=.:$LD_LIBRARY_PATH ./afl-dyninst -i fisimple -o fi_inst  -l libsc_fi.so -d
Skipping library: libAflDyninst.so
Skipping library: crtstuff.c
Skipping library: libAflDyninst.cpp
Instrumenting module: fisimple
Instrumenting module: crtstuff.c
Skipping library: DEFAULT_MODULE
Instrumenting module: libsc_fi.so
Segmentation fault
bperry@ubuntu:~/tmp$ 

brandonprry

    for( j = 0; j < n->classname_len && j<9; j++)
      kv[j] = b[j*2];

    kv[8] = 0;
    sscanf( kv, "%x", (unsigned int*)( &key[i*4] ) );

brandonprry

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):

---

http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61

brandonprry

#!/bin/bash

cores=$1
inputdir=$2
outputdir=$3
pids=""
total=`ls $inputdir | wc -l`

for k in `seq 1 $cores $total`
do