Prototyping And Reverse Engineering With Frida by Jay Harris

Watch on YouTube Slide Material Demo 1 // Run within REPL Process.getCurrentThreadId() Process.enumerateModulesSync() Interceptor.attach(ptr(Module.findExportByName(null, "rand")), {onLeave: function(retval){retval.replace(0x00)}}) Demo 2 - frida-trace frida-trace -i "*" my_process frida-trace -i "*rand*" -i "read" exercise Demo…

Bypass OTP validation on Password Reset

核心问题 App 没有在 OTP 验证时 lock account, 导致可以 bruteforcing App 只在 client side 做验证. Exploit 密码重置的流程: 点击'Forget Password' 输入 Mobile No. 输入 OTP 设置新的 password 测试1 - Brute Force OTP 检查服务器有否 lock account. 测试2 - 篡改 response Response for Wrong OTP: HTTP/1.1 200 OK [REDACTED] {"VerifyAndDeleteOTPApplicationResponse"…

iPhone5c Jailbreak

HomeDepot http://wall.supplies/ Jailbreak.me https://jailbreak.me Phoenix IPA Online Troubleshooting Cydia is Showing DPKG_LOCKED dpkg –-configure -a…

Radare2 Tutorials for beginners

Radare2 Archives - MOVEAX.ME 有一系列的教程, 非常适合初学者. Radare Basics - MOVEAX.ME - 教授了几个常用的命令 Crackme0x01 Dissected with Radare2 - MOVEAX.ME - 第一个 crackme, 最紧要它有 YouTube Video 一步步讲解. Crackme0x02 Dissected with Radare2 - MOVEAX.ME - 第二个 crackme, 讲述了两种方法 CTF. 其中一个是 nop. 同样有 YouTube Video.…

Hacking the Hackers: Leveraging an SSRF in HackerTarget

本文介绍了如何利用SSRF发送email。 https://api.hackertarget.com/httpheaders/?q=<target> 正常情况下target是传送第三方网站地址,如example.com. 但是黑客发现可以发送127.0.0.1. Initial Fix 只检测127.0.0.1. Bypass 0 127.00.1 127.0.01 0.00.0 0.0.00 127.1.0.1 127.10.1 127.1.01 0177.1 0177.…

P4 to P2 - The story of one blind SSRF · Script Kiddie`s notes

Introduction 本文介绍了上传html, 读取服务器文件。 Exploit 文件上传功能通常会比对是否合法的文件格式。 服务器允许html, 但不要看少上传的是html. 我们可以在html中加入各式各样的tag, 如<script>,<iframe>, <object>. NIN: 假如iframe被禁止,尝试object. Ref P4 to P2 - The story of one blind SSRF · Script Kiddie`s notes…

Local File read via xss in dynamically genearated pdf

Introduction 本文介绍了如何利用xss读取服务器文件,并将其打印在pdf。 https://xyz.com/payments/downloadStatements?Id=b9bc3d&utrnumber=xyz&date... utrnumber存在xss injection point. Payload 1: 在下载的pdf中,发现aaaa. <p id="test">aaa</p><script>document.getElementById('test').innerHTML+='aa'</script> Payload 2: 在下载的pdf中,显示了pdf的路径,如file://... <…

Setting Up HTTP Proxy in Terminal

让 Terminal 的流量全走 proxy 安装 polipo ➜ ~ brew install polipo 添加以下 alias subl ~/.oh-my-zsh/custom/example.zsh alias proxy='nohup polipo socksParentProxy=127.0.0.1:1080 >/dev/null 2>&1 &;export all_proxy=http://127.0.0.1:8123' alias unproxy='unset all_proxy' NIN: Port…

Story of a JSON XSS

假设存在如下injection_point, content_type: text/html. { "xxx": true, "yyy": [injection_point] } Payload 1 - Failure yyy=test<haha> 但是injection_point会将<> HTML转置. { "xxx": true, "yyy": <strong>test&lt;haha&gt;</strong> } Payload 2 - Failure yyy[testarray]…