Skip to content

Instantly share code, notes, and snippets.

@ndavison
ndavison / nginx-drupal-hhvm.conf
Last active January 3, 2017 00:37
Nginx load balancing configuration for HHVM and Drupal
upstream myapp1 {
server 127.0.0.1:9000;
server 127.0.0.1:9001;
}
server {
listen 80;
server_name localhost;
root /var/www/html;
index index.php;
@ndavison
ndavison / gist:29708215fd5b4af2f2e2379dd2c24c96
Created April 30, 2017 09:47
GravCMS convert inline JS into sourced file JS
diff --git a/system/src/Grav/Common/Assets.php b/system/src/Grav/Common/Assets.php
index 12efc1a..383cd8d 100644
--- a/system/src/Grav/Common/Assets.php
+++ b/system/src/Grav/Common/Assets.php
@@ -678,15 +678,20 @@ class Assets
}
}
- // Render Inline JS
+ // Convert Inline JS into a sourced JS file
@ndavison
ndavison / build.sh
Last active February 28, 2018 01:25
DTA marketplace dev build
#!/bin/bash
#
# Digital Marketplace dev environment build script.
#
# use brew to install the following before running this script:
#
# postgres 9.6.x
# nvm
# cairo
# pango
#!/bin/bash
#
# This updates the CF ups-dm-common app's env vars. You need to make sure
# the below JSON encoded object contains *all* the env vars, as this is a
# complete replacement.
#
cf update-user-provided-service ups-dm-common -p @<(cat <<EOF
{
"ENV_VAR_EXAMPLE_1": "xxx",
@ndavison
ndavison / vscode-sqli-search.txt
Created December 12, 2018 23:11
VSCode search for SQLAlchemy functions that might be vulnerable to SQL Injection if used incorrectly
\.(filter|having|distinct|group_by|order_by)\(
?[^\)]+
@ndavison
ndavison / build.sh
Last active February 1, 2019 03:29
DTA marketplace build v2 (bash only)
#!/bin/bash
#
# Digital Marketplace dev environment build script.
#
# use brew to install the following before running this script:
#
# postgres 9.6.x
# nvm
# yarn
# bower
@ndavison
ndavison / circleci-find-tag-build.py
Last active June 26, 2019 07:23
A script to find the CircleCI build associated with a particular VCS tag value
import requests
import json
import os
from argparse import ArgumentParser
parser = ArgumentParser(description="Queries the circleci API for the build associated with a VCS tag.")
parser.add_argument("-p", "--project", help="project to request circleci build logs for")
parser.add_argument("-r", "--repo", help="repo to request circleci build logs for")
parser.add_argument("-t", "--tag", help="the VCS tag value to look for")
@ndavison
ndavison / flask-login-example.py
Created August 20, 2019 02:47
Simple Flask (with Flask-Login) example
from flask import Flask, request, jsonify, session
from flask_login import current_user, login_required, login_user, LoginManager, logout_user
app = Flask(__name__)
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
login_manager = LoginManager()
login_manager.init_app(app)
@ndavison
ndavison / wp-visualizer-xss.md
Last active November 21, 2019 23:14
Wordpress Visualizer plugin stored XSS

Wordpress Visualizer plugin stored XSS CVE-2019-16931

The Visualizer plugin for Wordpress suffers from an unauthenticated stored XSS vulnerability. This was tested against v3.3.0.

Summary

This XSS actually relies on another vulnerability of sorts, in that it is possible for an anonymous user to modify data on an already created chart object by simply sending a constructed POST request to the /wp-json/visualizer/v1/update-chart WP-JSON API endpoint. This can be seen here where the endpoint is registered (classes/Visualizer/Gutenberg/Block.php) with no access control:

register_rest_route(
@ndavison
ndavison / wp-visualizer-ssrf.md
Last active November 21, 2019 23:14
Wordpress Visualizer blind SSRF

Wordpress Visualizer plugin blind SSRF CVE-2019-16932

The Visualizer plugin for Wordpress suffers from an unauthenticated blind SSRF vulnerability. This was tested against v3.3.0.

PoC setup

Setup a Docker environment using this compose config: https://docs.docker.com/compose/wordpress/

However, rather than running docker-compose up -d, just run docker-compose up as we want to see the output from the MySQL server to prove SSRF.