Liam Somerville leesoh

## HttpEvidenceGenerator.py
##
## Evidence Generator Evidence Generator - Burp Extension
##
## Download Jython and configure it in the Extender options:
## http://search.maven.org/remotecontent?filepath=org/python/jython-standalone/2.5.4-rc1/jython-standalone-2.5.4-rc1.jar
##
## Right click on any request from different Burp Suite tools and send to the extension
##

from burp import IBurpExtender, ITab, IContextMenuFactory

## Bootstrap_XSS.md

      
              1 file
            
          
              32 forks
            
          
              1 comment
            
          
              98 stars
            
          
                BlackFan
                / Bootstrap_XSS.md
            
            
              Last active
              April 24, 2024 20:28
            
              
                Bootstrap XSS Collection
              
          
    CVE-2019-8331

Bootstrap < 3.4.1 || < 4.3.1
✔️ CSP strict-dynamic bypass
➖ Requires user interaction
➖ Requires $('[data-toggle="tooltip"]').tooltip();

  
## gist:7b4a67bb7dd0cfbfbd83768f3aa6eb12
MATCH (u:User)-[r:AdminTo|MemberOf*1..]->(c:Computer
RETURN u.name

That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
---------------

MATCH
(U:User)-[r:MemberOf|:AdminTo*1..]->(C:Computer)
WITH
U.name as n,

## PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
    ResourceID = "[Script]ScriptExample";
    GetScript = "\"$(Get-Date): I am being GET\"     | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
    TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";

## responder-n-cookies.js
// Code mashed together from here: https://github.com/bettercap/caplets/
// Intended to use with Bettercap v2: https://github.com/bettercap/bettercap
//
// net.probe on
// sleep 1
// net.probe off
// set arp.spoof.targets <TARGETS>
// set https.proxy.script /root/caplets/responder-n-cookies.js
// set http.proxy.script /root/caplets/responder-n-cookies.js
// https.proxy on

## xml-attacks.md

      
              1 file
            
          
              30 forks
            
          
              5 comments
            
          
              114 stars
            
          
                mgeeky
                / xml-attacks.md
            
            
              Last active
              April 13, 2024 15:52
            
              
                XML Vulnerabilities and Attacks cheatsheet
              
          
    XML Vulnerabilities

XML processing modules may be not secure against maliciously constructed data. An attacker could abuse XML features to carry out denial of service attacks, access logical files, generate network connections to other machines, or circumvent firewalls.
The penetration tester running XML tests against application will have to determine which XML parser is in use, and then to what kinds of below listed attacks that parser will be vulnerable.


## .htaccess
	#
	# TO-DO: set |DESTINATIONURL| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#

## FileReadPrimitive.ps1
$CimSession = New-CimSession -ComputerName 10.0.0.2

$FilePath = 'C:\Windows\System32\notepad.exe'

# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
$FileLengthBytes = $FileContents.FileData[0..3]
[Array]::Reverse($FileLengthBytes)

## bloom.py
#!/usr/bin/python3
#
# Simple Bloom filter implementation in Python 3
# Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
# Licensed under the terms of the MIT license
#
# Written to be used with the Have I been pwned? password list:
#   https://haveibeenpwned.com/passwords
#
# Download the pre-computed filter here (968MB, k=11, false positive p=0.0005):

## ChinaCache
admin.ellechina.com
admin.kaixin001.com.cn
admin.uuu9.com
admin.yocity.ccgslb.net
api.chinacache.com
api.dichan.ccgslb.com.cn
api.kaixin001.com.cn
api.mapbar.chinacache.net
api.mapbar.com
api.whaley.ccgslb.net
	##
	## Evidence Generator Evidence Generator - Burp Extension
	##
	## Download Jython and configure it in the Extender options:
	## http://search.maven.org/remotecontent?filepath=org/python/jython-standalone/2.5.4-rc1/jython-standalone-2.5.4-rc1.jar
	##
	## Right click on any request from different Burp Suite tools and send to the extension
	##

	from burp import IBurpExtender, ITab, IContextMenuFactory
	MATCH (u:User)-[r:AdminTo\|MemberOf*1..]->(c:Computer
	RETURN u.name

	That’ll return a list of users who have admin rights on at least one system either explicitly or through group membership
	---------------

	MATCH
	(U:User)-[r:MemberOf\|:AdminTo*1..]->(C:Computer)
	WITH
	U.name as n,
	# This idea originated from this blog post on Invoke DSC Resources directly:
	# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

	<#
	$MOFContents = @'
	instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
	{
	ResourceID = "[Script]ScriptExample";
	GetScript = "\"$(Get-Date): I am being GET\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	TestScript = "\"$(Get-Date): I am being TESTED\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	// Code mashed together from here: https://github.com/bettercap/caplets/
	// Intended to use with Bettercap v2: https://github.com/bettercap/bettercap
	//
	// net.probe on
	// sleep 1
	// net.probe off
	// set arp.spoof.targets <TARGETS>
	// set https.proxy.script /root/caplets/responder-n-cookies.js
	// set http.proxy.script /root/caplets/responder-n-cookies.js
	// https.proxy on
	#
	# TO-DO: set \|DESTINATIONURL\| below to be whatever you want e.g. www.google.com. Do not include "http(s)://" as a prefix. All matching requests will be sent to that url. Thanks @Meatballs__!
	#
	# Note this version requires Apache 2.4+
	#
	# Save this file into something like /etc/apache2/redirect.rules.
	# Then in your site's apache conf file (in /etc/apache2/sites-avaiable/), put this statement somewhere near the bottom
	#
	# Include /etc/apache2/redirect.rules
	#
	$CimSession = New-CimSession -ComputerName 10.0.0.2

	$FilePath = 'C:\Windows\System32\notepad.exe'

	# PS_ModuleFile only implements GetInstance (versus EnumerateInstance) so this trick below will force a "Get" operation versus the default "Enumerate" operation.
	$PSModuleFileClass = Get-CimClass -Namespace ROOT/Microsoft/Windows/Powershellv3 -ClassName PS_ModuleFile -CimSession $CimSession
	$InMemoryModuleFileInstance = New-CimInstance -CimClass $PSModuleFileClass -Property @{ InstanceID= $FilePath } -ClientOnly
	$FileContents = Get-CimInstance -InputObject $InMemoryModuleFileInstance -CimSession $CimSession
	$FileLengthBytes = $FileContents.FileData[0..3]
	[Array]::Reverse($FileLengthBytes)
	#!/usr/bin/python3
	#
	# Simple Bloom filter implementation in Python 3
	# Copyright 2017 Hector Martin "marcan" <marcan@marcan.st>
	# Licensed under the terms of the MIT license
	#
	# Written to be used with the Have I been pwned? password list:
	# https://haveibeenpwned.com/passwords
	#
	# Download the pre-computed filter here (968MB, k=11, false positive p=0.0005):
	admin.ellechina.com
	admin.kaixin001.com.cn
	admin.uuu9.com
	admin.yocity.ccgslb.net
	api.chinacache.com
	api.dichan.ccgslb.com.cn
	api.kaixin001.com.cn
	api.mapbar.chinacache.net
	api.mapbar.com
	api.whaley.ccgslb.net