Web Application Hacker's Handbook Task checklist as a Github-Flavored Markdown file
mgcfish
mgcfish
/ mixunpin.js
Created
May 25, 2023 21:01
— forked from incogbyte/mixunpin.js
Frida script to bypass common methods of sslpining Android
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| console.log("[*] SSL Pinning Bypasses"); | |
| console.log(`[*] Your frida version: ${Frida.version}`); | |
| console.log(`[*] Your script runtime: ${Script.runtime}`); | |
| /** | |
| * by incogbyte | |
| * Common functions | |
| * thx apkunpacker, NVISOsecurity, TheDauntless | |
| * Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that. | |
| * !!! THIS SCRIPT IS NOT A SILVER BULLET !! |
mgcfish
/ WAHH_Task_Checklist.md
Created
March 27, 2021 22:03
— forked from jhaddix/Testing_Checklist.md
The Web Application Hacker's Handbook - Task Checklist - Github-Flavored Markdown
mgcfish
/ jsp-jstl-intruders.txt
Created
November 30, 2020 09:04
— forked from arbazkiraak/jsp-jstl-intruders.txt
wordlist generated Based on : https://medium.com/@adrien_jeanneau/how-i-was-able-to-list-some-internal-information-from-paypal-bugbounty-ca8d217a397c
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ${0 } | |
| ${0 == pageList.maxPage} | |
| ${1} | |
| ${1 eq currentPageNumber } | |
| ${5} | |
| ${5/6} | |
| ${a+1 } | |
| ${a.academyName} | |
| ${a.academyNumber} | |
| ${academyNumber==a.academyNumber} |
mgcfish
/ blind-xss-cloudflare-worker.js
Created
November 19, 2020 06:55
— forked from vavkamil/blind-xss-cloudflare-worker.js
Serverless Blind XSS hunter with Cloudflare Worker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| addEventListener("fetch", event => { | |
| event.respondWith(handleRequest(event.request)) | |
| }) | |
| //////////////////////////////////////////////////////////////////////////////////////////////////// | |
| // ! DON'T LEAK THE SECRETS ! | |
| // Use Workers KV if you can https://developers.cloudflare.com/workers/reference/storage/ | |
| const telegram_token = "*****REDACTED*****"; | |
| const telegram_url = "https://api.telegram.org/bot" + telegram_token + "/sendMessage"; |
mgcfish
/ web-servers.md
Created
September 26, 2019 22:29
— forked from willurd/web-servers.md
Big list of http static server one-liners
Each of these commands will run an ad hoc http static server in your current (or specified) directory, available at http://localhost:8000. Use this power wisely.
$ python -m SimpleHTTPServer 8000
mgcfish
/ One-liner Mimikatz Parser
Created
July 21, 2019 11:40
— forked from Raikia/One-liner Mimikatz Parser
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Assuming you have a mimikatz dump named "mimikatz_dump.txt", I made these bash one-liners that will reformat the mimikatz output to "domain\user:password" | |
| First, before using these parsers, run: "dos2unix mimikatz_dump.txt" | |
| Mimikatz 1.0: | |
| cat mimikatz_dump.txt | grep -P '((Utilisateur principal)|(msv1_0)|(kerberos)|(ssp)|(wdigest)|(tspkg))\s+:\s+.+' | grep -v 'n\.' | sed -e 's/^\s\+[^:]*:\s\+//' | sed -e 's/Utilisateur principal\s\+:\s\+\(.*\)$/\n\1/' | sort -u | |
| Mimikatz 2.0 (unfortunately, you must "apt-get install pcregrep" because reasons): |
mgcfish
/ session_replay_urls.md
Created
February 21, 2019 14:24
— forked from gunesacar/session_replay_urls.md
Script URL substrings used to detect the embeddings from the companies offering session replay services
- mc.yandex.ru/metrika/watch.js
- mc.yandex.ru/metrika/tag.js
- mc.yandex.ru/webvisor/
- fullstory.com/s/fs.js
- d2oh4tlt9mrke9.cloudfront.net/Record/js/sessioncam.recorder.js
- ws.sessioncam.com/Record/record.asmx
- userreplay.net
- script.hotjar.com
mgcfish
/ scanconv.py
Created
November 9, 2018 23:16
— forked from axtl/scanconv.py
convert masscan/nmap xml output into lists of hosts per open port found
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python | |
| # coding: utf-8 | |
| from __future__ import print_function | |
| import os | |
| import sys | |
| from collections import defaultdict as ddict | |
| try: | |
| from defusedxml.ElementTree import parse | |
| except ImportError: |
mgcfish
/ drupalgeddon2_CVE-2018-7600_SA-CORE-2018-002.md
Created
June 15, 2018 17:45
— forked from g0tmi1k/drupalgeddon2_CVE-2018-7600_SA-CORE-2018-002.md
drupalgeddon2 / SA-CORE-2018-002 / CVE-2018-7600 cURL (PoC)
CVE-2018-7600 | Drupal < 7.58 / < 8.3.9 / < 8.4.6 / < 8.5.1 - 'Drupalgeddon2' RCE (SA-CORE-2018-002)
Source: https://gist.github.com/g0tmi1k/7476eec3f32278adc07039c3e5473708
Improved (Ruby) exploit ~ http://github.com/dreadlocked/Drupalgeddon2/ // https://www.exploit-db.com/exploits/44449/
mgcfish
/ content_discovery_all.txt
Created
June 8, 2018 16:17
— forked from jhaddix/content_discovery_all.txt
a masterlist of content discovery URLs and files (used most commonly with gobuster)
This file has been truncated, but you can view the full file.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ` | |
| ~/ | |
| ~ | |
| ×™× | |
| ___ | |
| __ | |
| _ |
NewerOlder