xrmr xrmr

What is this cheat sheet ?

I recently stumbled on a blind SSTI injection on a bug bounty program (no output nor stack trace, only 500 status code on invalid syntax)

The version was up to date and it was not possible to RCE because the conf was following best practices and there is no public sandbox bypass on the latest version. So was it possible to do stuff anyway ? Yes I found some nice gadgets to enumerate all accessible variables from the engine, read data blindly or perform some DoS.

This is not meant to be complete, you will find classic payloads for freemarker on other cheat sheets this is only the new stuff from my research which is not public anywhere else

get versions

hi, i'm daniel. i'm a 15-year-old with some programming experience and i do a little bug hunting in my free time. here's the insane story of how I found a single bug that affected over half of all Fortune 500 companies:

say hello to zendesk

If you've spent some time online, you’ve probably come across Zendesk.

Zendesk is a customer service tool used by some of the world’s top companies. It’s easy to set up: you link it to your company’s support email (like support@company.com), and Zendesk starts managing incoming emails and creating tickets. You can handle these tickets yourself or have a support team do it for you. Zendesk is a billion-dollar company, trusted by big names like Cloudflare.

Personally, I’ve always found it surprising that these massive companies, worth billions, rely on third-party tools like Zendesk instead of building their own in-house ticketing systems.

your weakest link

Description

This was a challenge to demonstrate how the content-type header can be used to fool the browser into treating the HTTP response body in unexpected ways.

Source

As the harder solution works for both, heres source:

php

Deobfuscating / Unminifying Obfuscated Web App / JavaScript Code

Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code.

Assembly Language / Reversing / Malware Analysis / Game Hacking -resources

⭐Assembly Language

Modern x64 Assembly

https://www.youtube.com/playlist?list=PLKK11Ligqitg9MOX3-0tFT1Rmh3uJp7kA

	import os
	import time
	import uuid
	import requests
	requests.packages.urllib3.disable_warnings()

	headers = {
	"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0",
	"Accept": "application/json, text/plain, /",
	"Accept-Language": "en-US,en;q=0.5",

	# linux ldapsearch parser for bofhound, useful for environments that have ldap signing/binding and require kerberos auth.
	# add support for msDS-KeyCredentialLink

	"""
	$ ldapsearch -LLL -o ldif-wrap=no -E '!1.2.840.113556.1.4.801=::MAMCAQc=' -H ldap://dc.fake.com -Y GSSAPI -N -b "DC=fake,DC=com" "(&(objectClass=*))" > ldapsearch_out.txt

	SASL/GSSAPI authentication started
	SASL username: redacted@FAKE.COM
	SASL SSF: 256
	SASL data security layer installed.

	POST /api/v2/accounts
	GET /api/v2/activities?since=cstest
	GET /api/v2/audit_logs?filter[source_type]=cstest&filter[source_id]=1&filter[actor_id]=1&filter[ip_address]=cstest&filter[created_at]=cstest&filter[action]=cstest&sort_by=cstest&sort_order=cstest&sort=cstest
	GET /api/v2/automations
	POST /api/v2/automations
	GET /api/v2/bookmarks
	POST /api/v2/bookmarks
	GET /api/v2/brands
	POST /api/v2/brands
	GET /api/v2/custom_objects

	#!/bin/bash
	#
	# patch ramdisk.img (for installing Magisk on x64 Android emulator)
	#
	# x86_64 on Android 12 (API Level 32) is supported/tested currently
	#

	# install AVD:
	#
	# sudo sdkmanager 'system-images;android-32;google_apis_playstore;x86_64'

	#!/usr/bin/env bash

	set -Eeuo pipefail
	trap cleanup SIGINT SIGTERM ERR EXIT

	script_dir=$(cd "$(dirname "${BASH_SOURCE[0]}")" &>/dev/null && pwd -P)

	usage() {
	cat <<EOF
	Usage: $(basename "${BASH_SOURCE[0]}") [-h] [-v] [-f] -p param_value arg1 [arg2...]