Skip to content

Instantly share code, notes, and snippets.

Avatar
🔒
https://localhost/?bbq="omg">'wtf'

Michal Špaček spaze

🔒
https://localhost/?bbq="omg">'wtf'
View GitHub Profile
View keybase.md

Keybase proof

I hereby claim:

  • I am spaze on github.
  • I am spaze (https://keybase.io/spaze) on keybase.
  • I have a public key whose fingerprint is 4BD4 C403 AF2F 9FCC B151 FE61 B64B DD6E 464A B529

To claim this, I am signing this object:

View CheckLength.php
<?php
/**
* Check if the file is over given size.
*
* Use Content-Length header or partially download a file to see if it is bigger than specified size.
* Downloads up to the $limit bytes but not more.
*
* Enjoy.
*/
class CheckLength
@spaze
spaze / rbcz-email-injection.msg
Last active Aug 29, 2015
rb.cz email injection (working until new website got deployed 2015-04-02, vulnerable since 2011 at least, reported at least in 2013, 2014)
View rbcz-email-injection.msg
Received: (qmail 23343 invoked by uid 1013); 31 Oct 2013 16:45:31 -0000
Received: from no-reply@rb.cz by smtp by uid 0 with qmail-scanner-1.22
( Clear:RC:0(62.168.6.253):.
Processed in 0.011431 secs); 31 Oct 2013 16:45:31 -0000
Received: from smtp2.rb.cz (62.168.6.253)
by smtp.example.com with SMTP; 31 Oct 2013 16:45:31 -0000
Received: from sv72-wwwjbo2-al-02 (unknown [172.18.8.181])
by smtp2.rb.cz (Postfix) with ESMTP id 2AF4D18038D
for <spam@example.com>; Thu, 31 Oct 2013 17:45:31 +0100 (CET)
From: no-reply@rb.cz
View cetelem.json
{"host":"https://www.cetelem.cz/","port":443,"protocol":"HTTP","isPublic":
false,"status":"READY","startTime":1434634996112,"testTime":
1434635164451,"engineVersion":"1.18.1","criteriaVersion":"2009j",
"endpoints":[{"ipAddress":"193.86.17.252","serverName":"www.cetelem.cz",
"statusMessage":"Ready","grade":"F","gradeTrustIgnored":"F",
"hasWarnings":false,"isExceptional":false,"progress":100,"duration":
150647,"eta":2,"delegation":2,"details":{"hostStartTime":
1434634996112,"key":{"size":2048,"alg":"RSA","debianFlaw":false,
"strength":2048},"cert":{"subject":
"CN\u003dwww.cetelem.cz,OU\u003dMember, VeriSign Trust Network,OU\u003dAuthenticated by VeriSign,OU\u003dTerms of use at www.verisign.ch/rpa (c)05,OU\u003dCetelem,O\u003dCETELEM CR, a.s.,L\u003dPraha 5,ST\u003dPraha 5,C\u003dCZ,2.5.4.5\u003d#13083235303835363839,2.5.4.15\u003d#131450726976617465204f7267616e697a6174696f6e,1.3.6.1.4.1.311.60.2.1.3\u003d#1302435a",
@spaze
spaze / sktorrentanalysis.txt
Created Feb 23, 2016
Password analysis of SkTorrent.eu dump
View sktorrentanalysis.txt
Basic Results
Total entries = 118566
Total unique entries = 98397
Top 10 passwords
FuckYou = 864 (0.73%)
123456 = 739 (0.62%)
123456789 = 677 (0.57%)
NULL = 175 (0.15%)
View xzoneczanalysis.txt
Basic Results
Total entries = 26502
Total unique entries = 25475
Top 10 passwords
Tomáš = 11 (0.04%)
Destiny251984 = 9 (0.03%)
pchry = 8 (0.03%)
Janusek = 7 (0.03%)
View result.txt
id select_type table partitions type possible_keys key key_len ref rows filtered Extra
1 SIMPLE foo ref code code 34 const 1 100.00 Using index
id select_type table partitions type possible_keys key key_len ref rows filtered Extra
1 SIMPLE foo index code code 34 12 10.00 "Using where; Using index"
@spaze
spaze / 307timing.txt
Created Mar 8, 2018
The 307 timing includes 200's content download
View 307timing.txt
662538: URL_REQUEST
http://www.michalspacek.cz/
Start Time: 2018-03-09 00:52:52.274
t=10702 [st= 0] +REQUEST_ALIVE [dt=76]
--> priority = "HIGHEST"
--> url = "http://www.michalspacek.cz/"
t=10702 [st= 0] URL_REQUEST_DELEGATE [dt=1]
t=10703 [st= 1] +URL_REQUEST_START_JOB [dt=0]
--> load_flags = 37122 (BYPASS_CACHE | MAIN_FRAME_DEPRECATED | MAYBE_USER_GESTURE | VERIFY_EV_CERT)
@spaze
spaze / ssls-letsencrypt.md
Last active Mar 15, 2018
Otevřená odpověd ssls.cz na e-mail s předmětem "Upozornění: Zabezpečení domény"
View ssls-letsencrypt.md

Provozovatelé ssls.cz poslali e-mail zákazníkům, kteří od nich dříve kupovali certifikáty, ale přešli na certifikáty od Let's Encrypt. Ukázku toho e-mailu najdete na https://twitter.com/parisek/status/802847950863011840, podobná srovnávací tabulka je i na https://www.ssls.cz/lets-encrypt.html. Napsal jsem ssls.cz otevřenou odpověď, kterou najdete v nezměněné podobě níže. (Opravil jsem jen překlepy a chybějící interpunkční znaménka, díky za jejich nahlášení.)

Dobrý den,

(tuto odpověď píšu jako otevřený dopis, publikoval jsem ji také na https://gist.github.com/spaze/e081b948b8cd7d06dddbe9e6fa65c5ac)

díky za e-mail, jsem Vaším bývalým zákazníkem a podobným textem, který obsahuje zavádějící i nepravdivé informace, si mě nezískáte zpět. Pro mě

@spaze
spaze / pbkdf2-symfony-polyfill.php
Last active Oct 12, 2018
Symfony's PBKDF2 polyfill benchmark (TL;DR it's slow, DO NOT USE, use hash_pbkdf2 available in PHP 5.5+ if you must use PBKDF2 but just use password_hash) for the thread here https://twitter.com/spazef0rze/status/1050436425559302147
View pbkdf2-symfony-polyfill.php
<?php
function hashPbkdf2($algorithm, $password, $salt, $iterations, $length = 0)
{
// Number of blocks needed to create the derived key
$blocks = ceil($length / strlen(hash($algorithm, null, true)));
$digest = '';
for ($i = 1; $i <= $blocks; $i++) {
$ib = $block = hash_hmac($algorithm, $salt . pack('N', $i), $password, true);
// Iterations
for ($j = 1; $j < $iterations; $j++) {