pentester-bounty-hunter-scripts
Just posting some of the scripts I write as I strengthen my pythonic coding, some exploit scripts as I work through their write-ups and attempt to develop my own PoC's, as well as random scripts from one-off challenges or snippets undeserving of an entire github shrine dedicated to their rancid memory.
Thanks for reading and checking out my repo!
based on the vulnerability of using a hardcoded IV in CBC-MAC implementation (it should be an IV consisting of just nullbytes) POC based on the idea that if you can modify the IV, you can change parts of the cookie without the signature being invalidated. In a basic misconfiguration such as this, you just need to make a log in, the app should give you a sig and the IV as a cookie. Then compute a XOR of the first block, get the first block of your desired username (this POC uses administrator), XOR from x^y. Hopefully, this simplifies something. Special thanks to Louis Nyffenegger for this one. CBC-mac / Initialization Vector vulnerability
puts "curl -H 'Cookie: iv=#{new_iv}; auth=#{new_auth}' <victim site>"
CVE-2018-0114 POC written in Ruby, real credit goes to Louis Nyffenegger
exploit to conjure up cookies to impersonate any user, discovered by ooooooo_q @ hackerone CVE-2019-5420 https://hackerone.com/reports/473888
inspired by Ruby library Net::FTP (CVE-2017-17405), allows attacker to run commands via KID parameter JWT-KID-param-RCE.rb
common misconfiguration of JSON web tokens vuln script JWT-decompile-and-resign.rb
another JWT POC based on a similar misconfiguration of the KID paramater, this time due to a lack of escaping that can allow SQLI or LFI JWT-kid-vuln.rb
Very basic implementation to easily produce that big chunky SAML code you can swap in with a web proxy right before it hits the server SAML-exploit-101.rb
Convert a bunch of spaced ascii numbers into UTF-8, for baby's first crypto challenge ASCII-number-to-text
Like above, baby's first hex decoder for human babies. hex2utf-decoder.py
super primitive CSRF POC, though when applied in JSON format json-csrf.html
methodist.py // HTTP Method's enumerator
python3 methodist.py [full url]
Tamper with some parameters to expose a weakness in oauth implementation for your web-app. Fill in the variables noted within and deploy with ``` oauth-CSRF
"curl -H 'Authorization: Bearer [TOKEN]' [RESOURCE_SERVER]/api/keys --dump-header -"