yehgdotnet

<?php 
class hacker{
	
	private function secret() {
		echo "<h2 style='color:red'>Executed secret or privilaged operations.</h2>";
		
	}
	public function test($arg){
		${"func"} = $arg;
		$this->${"func"}();

yehgdotnet

Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management

Introduction

• Affected Product(s): Java SE 6, Java SE 7
• Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
• Vendor Contact: secalert_us@oracle.com
• Vulnerability Type: Unsafe Object Deserialization

yehgdotnet

Security Advisory – Java SE

Chris Frohoff – Qualcomm Information Security and Risk Management

Introduction

• Affected Product(s): Java SE 6, Java SE 7
• Fixed in: Java SE 7u25 (2013-06-18), Java SE 8 (2014-03-18)
• Vendor Contact: secalert_us@oracle.com
• Vulnerability Type: Unsafe Object Deserialization

yehgdotnet

Insecure:

public class LooseSourceCheck {
    public static void showExample(String url){

        try{
            if(url.startsWith("http://trustedsubdomain")){
                System.out.print(String.format("Trusted subdomain: ", url));
            }
            else {

yehgdotnet

$ avdmanager
Exception in thread "main" java.lang.NoClassDefFoundError: javax/xml/bind/annotation/XmlSchema
	at com.android.repository.api.SchemaModule$SchemaModuleVersion.<init>(SchemaModule.java:156)
	at com.android.repository.api.SchemaModule.<init>(SchemaModule.java:75)
	at com.android.sdklib.repository.AndroidSdkHandler.<clinit>(AndroidSdkHandler.java:81)
	at com.android.sdklib.tool.AvdManagerCli.run(AvdManagerCli.java:213)
	at com.android.sdklib.tool.AvdManagerCli.main(AvdManagerCli.java:200)
Caused by: java.lang.ClassNotFoundException: javax.xml.bind.annotation.XmlSchema
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:582)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:185)

yehgdotnet

import java.util.*;

public class utilMap {
    public static void showExample(){
        Map<Integer,String> map=new HashMap<Integer,String>();
        map.put(100,"Amit");
        map.put(101,"Vijay");
        map.put(102,"Rahul}\r\n{103 Attacker}\r\n{"); // attacker's controlled value
        System.out.println(map);

yehgdotnet

// Coded by Myo Soe, https://yehg.net
/*
 Usage: 

   RegexDOSDemo ev1 = new RegexDOSDemo("AAAAAAAAAA");
   RegexDOSDemo ev2 = new RegexDOSDemo("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

yehgdotnet

#!/usr/bin/env python
# rduck-pinbrute: Generate Duckyscript file that brute forces all 4-digit
# PIN values for use in attacking Android devices.  Prioritizes common
# PIN values before resorting to exhaustive 0000-9999 search.
# Joshua Wright, josh@willhackforsushi.com. Public Domain.
#
# Inspired by Darren Kitchen script: 
# https://forums.hak5.org/index.php?/topic/28165-payload-android-brute-force-4-digit-pin/

# Data Genetics high probability list

yehgdotnet

( find . -type d -name ".git" && find . -name ".gitignore" && find . -name ".gitmodules" ) | xargs rm -rf

yehgdotnet

git add -A
echo "Press enter to commit"
read varname
git commit --all -m "$1"
echo "Press enter to push"
read varname
git push