Sam Quigley emerose

## keyscan.rb
#!/usr/bin/env ruby
require 'tempfile'

KEYGEN = "/usr/bin/ssh-keygen"
KEYSFILE = "authorized_keys"

keys = []

File.open(KEYSFILE).each_line do |l|
  next if (l =~ /\A\s*\Z/) # blank line

## gist:701244
#!/usr/bin/env ruby
#
# This program encrypts and decrypts messages at the command line.
# It runs setuid root, so that it can be used by users without giving
# them access to the (root-owned) secret encryption key.

require 'openssl'

SECRET_KEY="/etc/secrypt.key"
OUTPUT_FILE="/tmp/secrypt.out"

## running_man.rb
require 'open3'
class RunningMan
  def initialize(*cmd)
    @cmd = cmd
  end

  attr_reader :status, :output, :error

  def run
    input, output, err = Open3.popen3(*@cmd)

## brew install openldap -vd
sqbook:local sq$ brew install openldap -vd
==> Build Environment
CC: /usr/bin/cc => /usr/bin/gcc-4.2
CXX: /usr/bin/c++ => /usr/bin/c++-4.2
LD: /usr/bin/cc => /usr/bin/gcc-4.2
CFLAGS: -O3 -march=core2 -msse4.1 -w -pipe
CXXFLAGS: -O3 -march=core2 -msse4.1 -w -pipe
MAKEFLAGS: -j2
==> Downloading ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.21.tgz
File already downloaded and cached to /Users/sq/Library/Caches/Homebrew

## gist:429470
Exception in thread "main" java.lang.NullPointerException
	at java.net.Parts.<init>(URL.java:1262)
	at java.net.URL.<init>(URL.java:380)
	at java.net.URL.<init>(URL.java:283)
	at com.netifera.poet.ui.view.PoetComponent.createFormOracle(PoetComponent.java:252)
	at com.netifera.poet.ui.view.PoetComponent.doOracleTestAction(PoetComponent.java:223)
	at com.netifera.poet.ui.view.PoetComponent.actionButtonClicked(PoetComponent.java:213)
	at com.netifera.poet.ui.view.PoetComponent.access$2(PoetComponent.java:194)
	at com.netifera.poet.ui.view.PoetComponent$3.widgetSelected(PoetComponent.java:164)
	at org.eclipse.swt.widgets.TypedListener.handleEvent(Unknown Source)

## gist:401558
def random_password(length=10)
  allowed_chars = (('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a)
  ret = ''
  OpenSSL::Random.random_bytes(length).each_byte do |b|
    ret << allowed_chars[b % allowed_chars.length]
  end
  return ret
end

## svc-users.php
<?php
//...
   $sql = "SELECT * FROM Users WHERE " .
           "(Username = '" . addslashes($username) . "') " .
           "AND (Token = '" . addslashes($token) . "')";
    $rs = $db->executeQuery($sql);
    if ( $rs->next() ) {
//...
?>

## Plaintext Passwords IV Fix.php
<?php
$salt = substr(md5(rand()), 0, 4);
$hashedpassword = md5($password.$salt);
$sql = "INSERT INTO Users (Username, Password, Salt) " .
       "VALUES ('" . addslashes($username) . "', " .
       "'$hashedpassword', '$salt')";
$db->executeQuery($sql);

// ...

## ESAPI.properties
# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
# (All cipher modes except ECB require an IV.) There are two choices: we can either
# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
# the IV does not need to be hidden from adversaries, it is important that the
# adversary not be allowed to choose it. Also, random IVs are generally much more
# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
# such as CFB and OFB use a different IV for each encryption with a given key so
# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
# uncomment the Encryptor.fixedIV.

## gist:276928

      
        
          
            
              
              0 files
            
          
          
            
              
              0 forks
            
          
          
            
              
              0 comments
            
          
          
            
              
              0 stars
            
          
        
        
          
              
          
          
            
                emerose
                / gist:276928
            
            
              Created
              January 14, 2010 05:39
            
          
        
      
        
          
            
              
              We couldn’t find that file to show.
	#!/usr/bin/env ruby
	require 'tempfile'

	KEYGEN = "/usr/bin/ssh-keygen"
	KEYSFILE = "authorized_keys"

	keys = []

	File.open(KEYSFILE).each_line do \|l\|
	next if (l =~ /\A\s*\Z/) # blank line
	#!/usr/bin/env ruby
	#
	# This program encrypts and decrypts messages at the command line.
	# It runs setuid root, so that it can be used by users without giving
	# them access to the (root-owned) secret encryption key.

	require 'openssl'

	SECRET_KEY="/etc/secrypt.key"
	OUTPUT_FILE="/tmp/secrypt.out"
	require 'open3'
	class RunningMan
	def initialize(*cmd)
	@cmd = cmd
	end

	attr_reader :status, :output, :error

	def run
	input, output, err = Open3.popen3(*@cmd)
	sqbook:local sq$ brew install openldap -vd
	==> Build Environment
	CC: /usr/bin/cc => /usr/bin/gcc-4.2
	CXX: /usr/bin/c++ => /usr/bin/c++-4.2
	LD: /usr/bin/cc => /usr/bin/gcc-4.2
	CFLAGS: -O3 -march=core2 -msse4.1 -w -pipe
	CXXFLAGS: -O3 -march=core2 -msse4.1 -w -pipe
	MAKEFLAGS: -j2
	==> Downloading ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.21.tgz
	File already downloaded and cached to /Users/sq/Library/Caches/Homebrew
	Exception in thread "main" java.lang.NullPointerException
	at java.net.Parts.<init>(URL.java:1262)
	at java.net.URL.<init>(URL.java:380)
	at java.net.URL.<init>(URL.java:283)
	at com.netifera.poet.ui.view.PoetComponent.createFormOracle(PoetComponent.java:252)
	at com.netifera.poet.ui.view.PoetComponent.doOracleTestAction(PoetComponent.java:223)
	at com.netifera.poet.ui.view.PoetComponent.actionButtonClicked(PoetComponent.java:213)
	at com.netifera.poet.ui.view.PoetComponent.access$2(PoetComponent.java:194)
	at com.netifera.poet.ui.view.PoetComponent$3.widgetSelected(PoetComponent.java:164)
	at org.eclipse.swt.widgets.TypedListener.handleEvent(Unknown Source)
	def random_password(length=10)
	allowed_chars = (('a'..'z').to_a + ('A'..'Z').to_a + ('0'..'9').to_a)
	ret = ''
	OpenSSL::Random.random_bytes(length).each_byte do \|b\|
	ret << allowed_chars[b % allowed_chars.length]
	end
	return ret
	end
	<?php
	//...
	$sql = "SELECT * FROM Users WHERE " .
	"(Username = '" . addslashes($username) . "') " .
	"AND (Token = '" . addslashes($token) . "')";
	$rs = $db->executeQuery($sql);
	if ( $rs->next() ) {
	//...
	?>
	<?php
	$salt = substr(md5(rand()), 0, 4);
	$hashedpassword = md5($password.$salt);
	$sql = "INSERT INTO Users (Username, Password, Salt) " .
	"VALUES ('" . addslashes($username) . "', " .
	"'$hashedpassword', '$salt')";
	$db->executeQuery($sql);

	// ...
	# Because 2.0 uses CBC mode by default, it requires an initialization vector (IV).
	# (All cipher modes except ECB require an IV.) There are two choices: we can either
	# use a fixed IV known to both parties or allow ESAPI to choose a random IV. While
	# the IV does not need to be hidden from adversaries, it is important that the
	# adversary not be allowed to choose it. Also, random IVs are generally much more
	# secure than fixed IVs. (In fact, it is essential that feed-back cipher modes
	# such as CFB and OFB use a different IV for each encryption with a given key so
	# in such cases, random IVs are much preferred. By default, ESAPI 2.0 uses random
	# IVs. If you wish to use 'fixed' IVs, set 'Encryptor.ChooseIVMethod=fixed' and
	# uncomment the Encryptor.fixedIV.