Skip to content

Instantly share code, notes, and snippets.

View Xib3rR4dAr's full-sized avatar

Xib3rR4dAr

39 followers · 18 following
View GitHub Profile
@devom3
devom3 / CVE-2024-57240_Apryse_WebViewer_XSS.md
Last active October 10, 2025 09:29
CVE-2024-57240: Cross-Site Scripting (XSS) Vulnerability in Apryse WebViewer <= 11.1

CVE-2024-57240: Cross-Site Scripting (XSS) Vulnerability in Apryse WebViewer ≤ 11.1

Date Published: Feb 24 2025

Summary

A Cross-Site Scripting (XSS) vulnerability has been identified in Apryse WebViewer versions up to and including 11.1. This vulnerability allows remote attackers to execute arbitrary JavaScript code by supplying a crafted PDF file. The issue arises due to improper sanitization of user-supplied input during PDF rendering.

Affected Product

@ngocdangrby
ngocdangrby / AuthyIntegrity.md
Created August 30, 2024 12:40
Bypass Authy integrity with Rooted Android phone

It took me 3 days to pass the error The device does not meet the minimum integrity requirements.

Finally, I exported my Authy from my Android 14 phone on custom ROM.

  • Phone: Realme GT2
  • ROM: custom ROM PixelOS
  • State: Root already
  • Android: 14
  • Integrity: MEETS_DEVICE_INTEGRITY
@fatherGoose1
fatherGoose1 / cronos-reentrancy.md
Created March 22, 2024 16:43
Bug report of Tectonic (Cronos) reentrancy to mint tokens at 100x actual rate.

Bug Description

There is a reentrancy vulnerability in TectonicStakingPoolV3.sol (https://cronoscan.com/address/0xE165132FdA537FA89Ca1B52A647240c2B84c8F89).

The issue arises due to the function performConversionForTokens() which is currently open for anyone to call because tcmPublicAccess is currently true. During a call to performConversionForTokens(), reentrancy can be achieved with the end result being the free minting of xTonic tokens. A brief description of the token conversion process:

  • The staking pool contract holds predominantly TONIC.
  • Other approved tokens held by the staking pool can be swapped for TONIC. For example, if the pool holds some WCRO, it can be swapped for TONIC using performConversionForTokens() which increases the contract's TONIC balance, thus increasing rewards for its stakers.
  • Upon successful conversion, any extra TONIC that was received during the swap (more than the oracle quote) is sent to the function caller as a reward.

The issue with the above is that a caller can

@win3zz
win3zz / GitHub-Leaked-API-Keys-and-Secrets.md
Last active December 11, 2025 18:44

GitHub Search Syntax for Finding API Keys/Secrets/Tokens

As a security professional, it is important to conduct a thorough reconnaissance. With the increasing use of APIs nowadays, it has become paramount to keep access tokens and other API-related secrets secure in order to prevent leaks. However, despite technological advances, human error remains a factor, and many developers still unknowingly hardcode their API secrets into source code and commit them to public repositories. GitHub, being a widely popular platform for public code repositories, may inadvertently host such leaked secrets. To help identify these vulnerabilities, I have created a comprehensive search list using powerful search syntax that enables the search of thousands of leaked keys and secrets in a single search.

Search Syntax:

(path:*.{File_extension1} OR path:*.{File_extension-N}) AND ({Keyname1} OR {Keyname-N}) AND (({Signature/pattern1} OR {Signature/pattern-N}) AND ({PlatformTag1} OR {PlatformTag-N}))

Examples:

**1.

@dafthack
dafthack / azure_client_ids.txt
Created June 16, 2023 11:57
A collection of client IDs that can be used to authenticate a user, and their associated application name that shows up in Azure Sign-In logs.
00b41c95-dab0-4487-9791-b9d2c32c80f2 - Office 365 Management
04b07795-8ddb-461a-bbee-02f9e1bf7b46 - Microsoft Azure CLI
0ec893e0-5785-4de6-99da-4ed124e5296c - Office UWP PWA
18fbca16-2224-45f6-85b0-f7bf2b39b3f3 - Microsoft Docs
1950a258-227b-4e31-a9cf-717495945fc2 - Microsoft Azure PowerShell
1b3c667f-cde3-4090-b60b-3d2abd0117f0 - Windows Spotlight
1b730954-1685-4b74-9bfd-dac224a7b894 - Azure Active Directory PowerShell
1fec8e78-bce4-4aaf-ab1b-5451cc387264 - Microsoft Teams
22098786-6e16-43cc-a27d-191a01a1e3b5 - Microsoft To-Do client
268761a2-03f3-40df-8a8b-c3db24145b6b - Universal Store Native Client
@shariqmalik
shariqmalik / Configure_WSA_for_Pentest.md
Last active September 16, 2025 05:44
Configure WSA (Windows Subsystem for Android) for Pentest
@shariqmalik
shariqmalik / oneliner_aws_temp_creds_generator.md
Last active August 28, 2023 18:08
Oneliners to generate formated temporary AWS STS credentials based on a preconfigured AWS profile

Oneliners to generate formated temporary AWS STS credentials based on a preconfigured AWS profile.

For Windows (Powershell)

aws sts get-session-token --duration-seconds (Read-Host -Prompt "Session Duration") --serial-number (Read-Host -Prompt "Serial Number") --token-code (Read-Host -Prompt "MFA code") | ConvertFrom-Json | %{$_.Credentials} | %{@{aws_access_key_id=$_.AccessKeyId;aws_secret_access_key=$_.SecretAccessKey;aws_session_token=$_.SessionToken}} | ConvertTo-Json -Compress | %{$_ -replace "{","`n`n[profile-name]`n"} | %{$_ -replace "}",""} |  %{$_ -replace ":"," = "} | %{$_ -replace '"',""} |  %{$_ -replace",","`n"} | %{$_ -replace "profile-name", (Read-Host -Prompt "Profile Name")} | tee -Variable _ | Add-Content $HOME\.aws\credentials

For Linux (bash)




  


  




    


          
    

      

        
        

          

              @perXautomatik
          

          

            
                perXautomatik
                / Disclaimer.md
            
            

              Last active
              August 15, 2022 10:28
            

              
                Full Windows [SYSTEM cleanup script] - Script Center - Spiceworks
              
          

        

      

        

  

      

    
This script has not been checked by Spiceworks. Please understand the risks before using it.



  


  




    


          
    

      

        
        

          

              @TheTinkerDad
          

          

            
                TheTinkerDad
                / docker-on-proxmox.txt
            
            

              Created
              January 22, 2022 21:42
            

          

        

      

        

  

    
    


        



  


  

        

          
          To install Docker on Debian as root:
        

        

          
          

        

        

          
            1) apt-get update
        

        

          
            2) apt-get install ca-certificates curl gnupg lsb-release
        

        

          
            3) curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
        

        

          
            4) echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian \
        

        

          
               $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
        

        

          
            5) apt-get update
        

        

          
            6) apt-get install docker-ce docker-ce-cli containerd.io
        

  





    


  




    


          
    

      

        
        

          

              @ahbanavi
          

          

            
                ahbanavi
                / encryption.php
            
            

              Last active
              October 24, 2025 23:38
            

              
                 Encrypt / Decrypt JSON data between Python and PHP using AES 256 GCM
              
          

        

      

        

  

    
    


        



  


  

        

          
          <?php
        

        

          
          const PASSPHRASE = ''; // use 'openssl rand -hex 32' to generate key, same with python
        

        

          
          

        

        

          
          function encrypt(array $data): string
        

        

          
          {
        

        

          
              $data_json_64 = base64_encode(json_encode($data));
        

        

          
              $secret_key = hex2bin(PASSPHRASE);
        

        

          
              $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length('aes-256-gcm'));
        

        

          
              $tag = '';
        

        

          
              $encrypted_64 = openssl_encrypt($data_json_64, 'aes-256-gcm', $secret_key, 0, $iv, $tag);