Skip to content

Instantly share code, notes, and snippets.

This is orange!

Orange Tsai orangetw

This is orange!
View GitHub Profile
ndavison /
Last active Sep 26, 2020
Attempts to find hop-by-hop header abuse potential against the provided URL.
import requests
import random
import string
from argparse import ArgumentParser
parser = ArgumentParser(description="Attempts to find hop-by-hop header abuse potential against the provided URL.")
parser.add_argument("-u", "--url", help="URL to target (without query string)")
g0tmi1k /
Last active Sep 21, 2020
drupalgeddon2 / SA-CORE-2018-002 / CVE-2018-7600 cURL (PoC)
niklasb / railspwn.rb
Last active Aug 18, 2020
Rails 5.1.4 YAML unsafe deserialization RCE payload
View railspwn.rb
require 'yaml'
require 'base64'
require 'erb'
class ActiveSupport
class Deprecation
def initialize()
@silenced = true
class DeprecatedInstanceVariableProxy
jhaddix / all.txt
Last active Dec 2, 2020
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
View all.txt
This file has been truncated, but you can view the full file.
ryhanson /
Last active Nov 5, 2020
Execute a DLL via .xll files and the Excel.Application object's RegisterXLL() method

DLL Execution via Excel.Application RegisterXLL() method

A DLL can be loaded and executed via Excel by initializing the Excel.Application COM object and passing a DLL to the RegisterXLL method. The DLL path does not need to be local, it can also be a UNC path that points to a remote WebDAV server.

When delivering via WebDAV, it should be noted that the DLL is still written to disk but the dropped file is not the one loaded in to the process. This is the case for any file downloaded via WebDAV, and they are stored at: C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\.

The RegisterXLL function expects an XLL add-in which is essentially a specially crafted DLL with specific exports. More info on XLL's can be found on MSDN

The XLL can also be executed by double-clicking the .xll file, however there is a security warning. @rxwx has more notes on this here inc

c3c /
Created Feb 24, 2017
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system"
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
rverton / cowroot.c
Created Oct 21, 2016
CVE-2016-5195 (DirtyCow) Local Root PoC
View cowroot.c
* (un)comment correct payload first (x86 or x64)!
* $ gcc cowroot.c -o cowroot -pthread
* $ ./cowroot
* DirtyCow root privilege escalation
* Backing up /usr/bin/passwd.. to /tmp/bak
* Size of binary: 57048
* Racing, this may take a while..
* /usr/bin/passwd overwritten
View gist:07d8d4c833873be2f68c34f9afc5a78a

Cryptographic Best Practices

Putting cryptographic primitives together is a lot like putting a jigsaw puzzle together, where all the pieces are cut exactly the same way, but there is only one correct solution. Thankfully, there are some projects out there that are working hard to make sure developers are getting it right.

The following advice comes from years of research from leading security researchers, developers, and cryptographers. This Gist was [forked from Thomas Ptacek's Gist][1] to be more readable. Additions have been added from

craigbeck / introspection-query.graphql
Created Apr 6, 2016
Introspection query for GraphQL
View introspection-query.graphql
query IntrospectionQuery {
__schema {
queryType { name }
mutationType { name }
subscriptionType { name }
types {
directives {
View bounties.csv
cve product bounty source
CVE-2014-0257 .NET Framework 5,000.00
CVE-2015-3842 Android 2,000.00
CVE-2015-3847 Android 1,500.00
CVE-2015-3860 Android 500.00
CVE-2015-3862 Android 333.00
CVE-2015-3865 Android 1,500.00
CVE-2015-3867 Android 4,000.00
CVE-2015-3868 Android 4,000.00
CVE-2015-3869 Android 3,000.00
You can’t perform that action at this time.