Skip to content

Instantly share code, notes, and snippets.

@nikcub
nikcub / disqus-xss.html
Created Aug 13, 2014
Disqus for Wordpress v2.7.5 XSS Exploit
View disqus-xss.html
<!--
Exploit for Disqus for Wordpress admin stored CSRF+XSS up to v2.7.5
Blog post explainer: https://www.nikcub.com/posts/multiple-vulnerabilities-in-disqus-wordpress-plugin/
12th August 2014
Nik Cubrilovic - www.nikcub.com
Most of these params are unfiltered/injectable. Not framable on newer Wordpress.
@nikcub
nikcub / cscart-exploit.py
Last active Feb 25, 2017
CS-Cart Session Brute Force Exploit
View cscart-exploit.py
#!/usr/bin/env python
# CS-Cart session brute force exploit for v4.2.0
# see https://www.nikcub.com/posts/cs-cart-v4-2-0-session-hijacking-and-other-vulnerabilities/
import sys
import requests
import argparse
import re
import string
import random
@nikcub
nikcub / composer.json
Created May 28, 2014
composer example
View composer.json
{
"name": "webwall/site",
"require": {
"php": ">=5.3.3",
"silex/silex": "~1.1",
"twig/twig": "1.*",
"symfony/twig-bridge": "*",
"monolog/monolog": "*",
"symfony/monolog-bridge": "*",
"symfony/security": "*",
@nikcub
nikcub / torrc
Last active Aug 29, 2015
Tor Relay & Bridge Config
View torrc
#
# tor relay / bridge config
#
# apt-get install tor
#
# yum install tor (after adding EPEL or similar as a repo)
#
# dump this config file into the default tor config file location (/etc/tor/torrc)
#
# see also: https://www.torproject.org/docs/installguide.html.en
@nikcub
nikcub / satoshi.txt
Last active Aug 29, 2015
Newsweek Satoshi Story
View satoshi.txt
Satoshi Nakamoto stands at the end of his sunbaked driveway looking timorous. And annoyed.
He's wearing a rumpled T-shirt, old blue jeans and white gym socks, without shoes, like he has left the house in a hurry. His hair is unkempt, and he has the thousand-mile stare of someone who has gone weeks without sleep.
He stands not with defiance, but with the slackness of a person who has waged battle for a long time and now faces a grave loss.
Two police officers from the Temple City, Calif., sheriff's department flank him, looking puzzled. "So, what is it you want to ask this man about?" one of them asks me. "He thinks if he talks to you he's going to get into trouble."
"I don't think he's in any trouble," I say. "I would like to ask him about Bitcoin. This man is Satoshi Nakamoto."
@nikcub
nikcub / gist:7767735
Created Dec 3, 2013
vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day
View gist:7767735
vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day
#Category: web application
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Dork: Powered by vBulletin™ Version 5.0.0 Beta (or) Use ur Brain you'll get more o_O
Step 1
Create an Account on vBulletin forum Verify the account and Activate it
View nikcub.key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools - https://gpgtools.org
mQMuBFJU3swRCADbRVdSEXGq7+TfRZG5N0WML4g0BJUSk92Yvm9hbLZBG4QZ90Ud
cr5TrM2gclOq5KL3DeSBqgX8d3o67d6fkIAAu70BObg2LcammEFUIxRPpkYgtnBr
MMJByXxUVE3ZX3z2Uc/8LHjYLSRJvzsVImLa85sNpNB58GVeTbqFdVYohOunsjpO
2vNlNK3yVBwqqi/stq+9cDexDkr4WXeBtuc0AiROF3Ar1KYeRyGB8nzXQfOFxr8q
xe7KQ89Sf9O8kf1ktlCNnb0MmTPPAMvM6hnWRtJuOxynM3AZyiOJqN+hod0QsN6y
twnLc6ZJ8jADCd0XFo0k7m3bTNHs5MiKXC+rAQChIlwunQqEXdlqUeT7xRNiseeb
View gist:5323021
repost of my comment on Facebook here: https://www.facebook.com/lisapadilla/posts/627211503961250?comment_id=7377112&offset=0&total_comments=45

for those that don't have permission to view it.

I'll go on the record in this thread to say that I lived in the same house as Arrington for the entire time he dated Jenn. I never once saw even a hint of physical abuse, let alone rape or any of the other things that have been suggested. He broke off the relationship and she was extremely attached to him and jealous of his new relationships. I have screen shots of previous Facebook posts Jenn has made where she has aired dirty laundry. She deleted at least one of those messages. Every time I have spoken to and caught up with Mike in the past few years he has mentioned the ongoing problem he has with her. I won't go into the details of what he told me, but I will say that I am very very skeptical of the post she made. Infact, when she made the post I immediately took a screenshot of it and emailed it to mike w

@nikcub
nikcub / gist:4696417
Created Feb 2, 2013
Twitter revoke all OAuth
View gist:4696417
go to settings > applications and paste the following javascript into your browser console or the address bar:
javascript:var a=document.querySelectorAll('button.revoke');for(var i=0, len=a.length; i<len; i++) { if(a[i].innerHTML=="Revoke access"){a[i].click();};
that will automatically click 'revoke' for all the applications
not that some browsers, such as chrome, will remove the 'javascript:' part if you paste it in, just type it back in and press enter. leave the browser open for 15-20 seconds and then refresh
@nikcub
nikcub / gist:4696395
Last active Dec 12, 2015
remove all twitter oauth
View gist:4696395
<h3>Step 1</h3>
<p>Visit the Twitter settings page for OAuth applications by going to Settings > Applications or https://twitter.com/settings/applications</p>
<p>Paste the following Javascript into your browser URL bar and hit enter</p>
<pre>javascript:var a=document.querySelectorAll('button.revoke');for(var i=0, len=a.length; i<len; i++) { if(a[i].innerHTML=="Revoke access"){a[i].click();};</pre>
<p>Note: Some browsers, such as 'chrome' will remove the javascript: part of that URL when you paste it in. Just type it back in.</p>