Skip to content

Instantly share code, notes, and snippets.

nikcub / disqus-xss.html
Created Aug 13, 2014
Disqus for Wordpress v2.7.5 XSS Exploit
View disqus-xss.html
Exploit for Disqus for Wordpress admin stored CSRF+XSS up to v2.7.5
Blog post explainer:
12th August 2014
Nik Cubrilovic -
Most of these params are unfiltered/injectable. Not framable on newer Wordpress.
nikcub /
Last active Feb 25, 2017
CS-Cart Session Brute Force Exploit
#!/usr/bin/env python
# CS-Cart session brute force exploit for v4.2.0
# see
import sys
import requests
import argparse
import re
import string
import random
nikcub / composer.json
Created May 28, 2014
composer example
View composer.json
"name": "webwall/site",
"require": {
"php": ">=5.3.3",
"silex/silex": "~1.1",
"twig/twig": "1.*",
"symfony/twig-bridge": "*",
"monolog/monolog": "*",
"symfony/monolog-bridge": "*",
"symfony/security": "*",
nikcub / torrc
Last active Aug 29, 2015
Tor Relay & Bridge Config
View torrc
# tor relay / bridge config
# apt-get install tor
# yum install tor (after adding EPEL or similar as a repo)
# dump this config file into the default tor config file location (/etc/tor/torrc)
# see also:
nikcub / satoshi.txt
Last active Aug 29, 2015
Newsweek Satoshi Story
View satoshi.txt
Satoshi Nakamoto stands at the end of his sunbaked driveway looking timorous. And annoyed.
He's wearing a rumpled T-shirt, old blue jeans and white gym socks, without shoes, like he has left the house in a hurry. His hair is unkempt, and he has the thousand-mile stare of someone who has gone weeks without sleep.
He stands not with defiance, but with the slackness of a person who has waged battle for a long time and now faces a grave loss.
Two police officers from the Temple City, Calif., sheriff's department flank him, looking puzzled. "So, what is it you want to ask this man about?" one of them asks me. "He thinks if he talks to you he's going to get into trouble."
"I don't think he's in any trouble," I say. "I would like to ask him about Bitcoin. This man is Satoshi Nakamoto."
nikcub / gist:7767735
Created Dec 3, 2013
vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day
View gist:7767735
vBulletin 5.0.0 all Beta releases SQL Injection Exploit 0day
#Category: web application
#Type: SQL Injection
#Requirements: Firefox/Live HTTP Headers/
#Dork: Powered by vBulletin™ Version 5.0.0 Beta (or) Use ur Brain you'll get more o_O
Step 1
Create an Account on vBulletin forum Verify the account and Activate it
View nikcub.key
Version: GnuPG/MacGPG2 v2.0.20 (Darwin)
Comment: GPGTools -
View gist:5323021
repost of my comment on Facebook here:

for those that don't have permission to view it.

I'll go on the record in this thread to say that I lived in the same house as Arrington for the entire time he dated Jenn. I never once saw even a hint of physical abuse, let alone rape or any of the other things that have been suggested. He broke off the relationship and she was extremely attached to him and jealous of his new relationships. I have screen shots of previous Facebook posts Jenn has made where she has aired dirty laundry. She deleted at least one of those messages. Every time I have spoken to and caught up with Mike in the past few years he has mentioned the ongoing problem he has with her. I won't go into the details of what he told me, but I will say that I am very very skeptical of the post she made. Infact, when she made the post I immediately took a screenshot of it and emailed it to mike w

nikcub / gist:4696417
Created Feb 2, 2013
Twitter revoke all OAuth
View gist:4696417
go to settings > applications and paste the following javascript into your browser console or the address bar:
javascript:var a=document.querySelectorAll('button.revoke');for(var i=0, len=a.length; i<len; i++) { if(a[i].innerHTML=="Revoke access"){a[i].click();};
that will automatically click 'revoke' for all the applications
not that some browsers, such as chrome, will remove the 'javascript:' part if you paste it in, just type it back in and press enter. leave the browser open for 15-20 seconds and then refresh
nikcub / gist:4696395
Last active Dec 12, 2015
remove all twitter oauth
View gist:4696395
<h3>Step 1</h3>
<p>Visit the Twitter settings page for OAuth applications by going to Settings > Applications or</p>
<p>Paste the following Javascript into your browser URL bar and hit enter</p>
<pre>javascript:var a=document.querySelectorAll('button.revoke');for(var i=0, len=a.length; i<len; i++) { if(a[i].innerHTML=="Revoke access"){a[i].click();};</pre>
<p>Note: Some browsers, such as 'chrome' will remove the javascript: part of that URL when you paste it in. Just type it back in.</p>