Skip to content

Instantly share code, notes, and snippets.

View thomaspatzke's full-sized avatar

Thomas Patzke thomaspatzke

View GitHub Profile
@thomaspatzke
thomaspatzke / extract_post_parameters_from_burpexport.sh
Last active June 12, 2025 12:00
Extract particular HTTP request parameter value (POST) from Burp XML save file without Base64 request/response encoding. Here I extract the NavigationTarget parameter of a SAP Portal application.
xmlstarlet sel -t -m '//items/item[contains(./request,"NavigationTarget")]' -v 'substring-before(substring-after(./request, "NavigationTarget="), "&")' -n Crawl-*.xml | perl -mURI::Escape -ne 'print URI::Escape::uri_unescape($_);' | sort -u
@thomaspatzke
thomaspatzke / find_unique.sh
Created January 7, 2015 13:59
Generate a list of files with unique content
find -type f -exec sha256sum {} \; | sort | perl -ne '($h, $f) = /^(\S+)\s+(.*)$/; if (defined $ph && $ph ne $h || !defined $ph) { print "$f\n" } $ph = $h; $pf = $f;'
@thomaspatzke
thomaspatzke / extract_post_parameters_from_burpexport-without_xmlstarlet.sh
Created January 19, 2015 13:24
Extract POST parameter (here javax.faces.ViewState) from files with saved HTTP requests
grep javax.faces.ViewState POSTs.xml | perl -mURI::Escape -ne '/javax\.faces\.ViewState=(.*?)&/; print URI::Escape::uri_unescape($1); print "\n"' | sort -u
@thomaspatzke
thomaspatzke / CSRFToken.py
Created February 3, 2015 14:01
Burp extension: extract CSRF tokens from responses of selected Burp tools and update them with a custom session handling rule.
from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener)
import re
class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
self.callbacks = callbacks
self.helpers = callbacks.getHelpers()
callbacks.setExtensionName("Session CSRF Token Handling")
self.callbacks.registerSessionHandlingAction(self)
self.callbacks.registerHttpListener(self)
@thomaspatzke
thomaspatzke / Burp-SessionHandlingActionReplaceIDInResponse.py
Created February 2, 2015 11:19
This is a template for a Burp extension that can be used as session handling macro action. It pulls an identifier (here: last part of location header from redirection response) from the first macro response and puts it in the given place of the current request (here: last URL path component). Adapt as needed at the places marked with "CONFIG" co…
from burp import (IBurpExtender, ISessionHandlingAction)
import re
class BurpExtender(IBurpExtender, ISessionHandlingAction):
def registerExtenderCallbacks(self, callbacks):
self.callbacks = callbacks
self.helpers = callbacks.getHelpers()
callbacks.setExtensionName("Path Parameter Session Handling Action")
self.callbacks.registerSessionHandlingAction(self)
self.out = callbacks.getStdout()
@thomaspatzke
thomaspatzke / net-config.sh
Created January 19, 2016 22:46
Shell script to quickly switch between real Internet connection (NAT) and simulated (INetSim)
#!/bin/bash
case "$1" in
router)
sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
systemctl start dnsmasq.service
;;
router-stop)
sysctl -w net.ipv4.ip_forward=0
@thomaspatzke
thomaspatzke / nmap-open-ports.sh
Last active June 12, 2025 11:59
Extract all open ports in Host:Port format from nmap XML output
xmlstarlet sel -t -m '//port/state[@state="open"]/parent::port' -v 'ancestor::host/address/@addr' -o : -v './@portid' -n nmap-output.xml
@thomaspatzke
thomaspatzke / proxy_http_connect-portscanner.sh
Created September 1, 2016 13:28
Simple HTTP CONNECT Proxy Portscanner
for (( p=0; p <= 65535; p++ )); do echo "Probing port $p"; echo -n "Port $p: " >> portscan.log; (echo CONNECT targethost:$p HTTP/1.1; echo) | nc -q 3 proxyhost proxyport | head -1 >> portscan.log; done
@thomaspatzke
thomaspatzke / Burp-CSRFRandomName.py
Created February 15, 2017 09:09
Burp Session Handling Extension: CSRF tokens with random parameter names
from burp import (IBurpExtender, IBurpExtenderCallbacks, ISessionHandlingAction, IHttpListener)
import re
class BurpExtender(IBurpExtender, ISessionHandlingAction, IHttpListener):
def registerExtenderCallbacks(self, callbacks):
self.callbacks = callbacks
self.helpers = callbacks.getHelpers()
callbacks.setExtensionName("Handling of CSRF Tokens with Random Names")
self.callbacks.registerSessionHandlingAction(self)
self.callbacks.registerHttpListener(self)
@thomaspatzke
thomaspatzke / Kill-Ransomware.ps1
Created November 5, 2019 12:29
Ransomware Killer
# Ransomware Killer v0.1 by Thomas Patzke <thomas@patzke.org>
# Kill all parent processes of the command that tries to run "vssadmin Delete Shadows"
# IMPORTANT: This must run with Administrator privileges!
Register-WmiEvent -Query "select * from __instancecreationevent within 0.1 where targetinstance isa 'win32_process' and targetinstance.CommandLine like '%vssadmin%Delete%Shadows%'" -Action {
# Kill all parent processes from detected vssadmin process
$p = $EventArgs.NewEvent.TargetInstance
while ($p) {
$ppid = $p.ParentProcessID
$pp = Get-WmiObject -Class Win32_Process -Filter "ProcessID=$ppid"
Write-Host $p.ProcessID