Personal notes and awesome infosec stuff for a bash-focused workflow. Highly subjective selection by nature.
- roadmap.sh - Cyber-Security Roadmap.
CVE-2023-40477- code execution via crafted .rar in vulnerable WinRAR versions prior to 6.23PoC (unverified)2023-08-17.CVE-2023-32981- Arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier using crafted archives as parametersGitHub Security Lab2023-05-16.#1914118-PR,Video2023-03-21.CVE-2022-3607- ZipSlip Symlink variant allows to read any file within OctoPrint Box in octoprint/octoprintFix2022-08-24.
- Terminally Owned - 60 Years of Escaping - DEF CON 31 talk by David Leadbeater
2023. - Weaponizing Plain Text ANSI Escape Sequences as a Forensic Nightmare - DEF CON 31 talk by STÖK
2023. - Plain Text? Really? - NDC Oslo 2021 talk by Dylan Beattie
2021.
CVE-2023-34153- Command injection viavideo:vsyncorvideo:pixel-formatFix2023-05-30.- ImageMagick: The hidden vulnerability behind your online images -
2023-02-01. CVE-2022-44268- Arbitrary File Read over ImageMagick#1858574alternative.- ImageMagick - Shell injection via PDF password -
2021-11-21. #1154542- RCE in GitLab when removing metadata with ExifTool Video2021-04-07.CVE-2021-32802- HEIC image preview can be used to invoke Imagick#12614132020-07-14.CVE-2019-11932- Double-free bug in WhatsApp turns to RCEBBRE2019-10-02.CVE-2016-3714- "ImageTragick" Delegate Arbitrary Command ExecutionExploit-DB.
- Fonts are still a Helvetica of a Problem - Canva Dev-blog covering:
CVE-2023-45139- XXE via generating a subset from a font,CVE-2024-25081- Command-injection via filenames in subfonts,CVE-2024-25082- Similar to previous one, but in archives of compressed WOFF (ZLIB-based) / WOFF2 (Brotli-based) fonts.
CVE-2024-4367- Glyph rendering in Mozilla's PDF.js leads to JavaScript ExecutionCodean Labs.
#771666- Stealing Zomato X-Access-Token: in Bulk using HTTP Request Smuggling onapi.zomato.com2020-01-10.- HTTP Desync Attacks: Smashing into the Cell Next Door - DEF CON 27 Conference talk by James Kettle (@albinowax) of PortSwigger
2019-11-16. #737140- CL.TE-based request smuggling on Slack2019-11-14.- HTTP Desync Attacks: Request Smuggling Reborn -
2019-08-07.
- defparam/smuggler - An HTTP Request Smuggling / Desync testing tool
Python 3.
- ambionics/phpggc - PHPGGC is a library of PHP
unserialize()-payloads along with a tool to generate them, from command line or programmatically. - Finding a POP chain on a common Symfony bundle - Detailed, step-by-step bash-driven analysis of a Symfony bundle
Part 22023-09-12. - Code Reuse Attacks in PHP: Automated POP Chain Generation - Using static analytics to automatically identify POP chains in various PHP frameworks.
- Insecure Deserialization Detection in Python - Project work by Aneesh Verma discussing deserialization issues
2023-05.
- frohoff/ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
- Universal Deserialisation Gadget for Ruby 2.x-3.x -
2021-01-07. - Ruby Deserialization - Ruby 2.x Universal RCE Deserialization Gadget Chain
2018-11-08.
- payloadbox/sql-injection-payload-list - SQL Injection Payload List.
RFC 3986- Official RFC Uniform Resource Identifier (URI)2005-01.- What Is a URL? - Dangers of inconsistent parsing of URLs
2023-04-30. - http-http-http-http-http-http-http - Daniel Stenberg, the author of curl, discusses URLs validation with examples
2022-09-08. - A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! - BlackHat talk by Orange Tsai discussing how different libs parse URLs
Slides2017.
CVE-2023-30943- Moodle vulnerability allowing a remote user to send a specially crafted HTTP request and create arbitrary folders on the system using TinyMCE loaders2023-05-11.CVE-2011-4906- Joomla 1.5.12 TinyMCE vulnerability leading to RCE (via Arbitrary File Upload)#778629Exploit-DB.
- OWASP: XSS Cheat Sheet - Filter Evasion Cheat Sheet by OWASP.
- Cross-site scripting (XSS) cheat sheet - XSS Cheat Sheet by Portswigger.
- AwesomeXSS - Awesome Page about XSS.
- Cross-site scripting contexts - Portswigger XSS context breakouts.
- Breaking XSS mitigations via Script Gadgets - Conference talk from 2017 explaining various CSP bypasses using Script Gadgets
2017.
#1444682- XSS over data: atjamfpro.shopifycloud.comin outdated Swagger UI2022-01-09.#1276742- Stored XSS in SVG file asdata:url in rich text editor2021-07-24.
Multiple single vulnerabilities combined to create a more significant one.
#2089042- ATO via self-XSS and cookie bridge (to switch to local domains: hereyelp.comtoyelp.dk). Includes setting additional cookies to break the cookie bridge.2023-07-28.- CVE-2023-36844 and Friends: RCE in Juniper Devices - Utilising two bugs that would be near-useless in isolation and combining them to unauthenticated RCE ComputerWeekly
CVE-2023-36846CVE-2023-36845PoC. - Two XSS Vulnerabilities in Azure with Embedded postMessage IFrames - iframe, postMessage and XSS
2023-06-14. - A smorgasbord of a bug chain: postMessage, JSONP, WAF bypass, DOM-based XSS, CORS, CSRF… - a complex bug chain consisting of an insecure message event listener, a shoddy JSONP endpoint, a WAF bypass, DOM-based XSS on an out-of-scope subdomain, and a permissive CORS configuration
2023-05-05. #1032610- Chaining requests to bypass a blacklist2020-11-12.- WordPress Transposh: Exploiting a Blind SQL Injection via XSS - combining three CVEs using weak default config, using stored XSS, and blind SQL
2022-07-22. - XXE-scape through the front door: circumventing the firewall with HTTP request smuggling - XML External Entity injection (XXE) vulnerability combined with request smuggling
2020-03-18.
- Type Juggling - Official PHP page.
- PHP Magic Tricks: Type Juggling -
2015. - PHP filters chain - What is it and how to use it
2022.
- Prototype Pollution in Python -
2023-01-04.