You start thinkin' about the things you can't forget, and those are the things you can't forgive.
[The Little Things]
#movie
Mira
Oh, I saw a camel too lol
Wrote "I saw a camel" in Ocaml
let () = print_endline "I saw a camel"
Speaking of Ocaml, I kinda liked Hyperapp back then for an FP language based on Elm architecture to be used on the Frontend. I guess I made some random task manager inspired by the book I was reading. Zoomie, one of my projects made a longtime ago (opensourced it a year before or so), was also intended to be made with Hyperapp. I don't remember how I ended up using express js. Use this recent blog for a quick tour of Hyperapp if you're interested in functional programming with js.
👍3🔥1
This was Zoomie, a video chat app built with simple WebRTC and runs on express server. UI built with plain CSS and jQuery (I really sucked at UI)
🔥7
For my final yapping session, I noticed that Zoomie used handlebars as a templating engine. Lately, I was checking the Server Side Template Injection (SSTI) vulnerability. So... The concept of Server-Side Template Injection (SSTI) was first publicly introduced by PortSwigger researchers in 2015. It is basically when user input is unsafely embedded into server-side templates. These templates are used by web applications to generate dynamic content by combining user data with predefined structures. For example,
If 'username' contains an expression that's evaluated (say something like {{3*5}}), it will lead to a malicious code execution. Every server side language has its own template engine like for PHP: Smarty, Twig and for Python: Jinja2, Mako and for Java: Freemarker, Velocity. I personally used pug in node js for other projects and handlebars for zoomie. If a site uses a template engine, you can determine its type by running the following payload:
The exploitation flow goes like: inject crafted payloads into vulnerable fields, and execute arbitrary commands or access sensitive server data, and then escalate privileges for full server control. Let us say for example the site uses Jinja2. If you get a response by running the identification payload, you can then execute commands like whoami on the server.
You can basically run commands you want directly on the server. This shit has medium or high severity impact since it leads to RCE and stuff. You can just avoid this by validating the user input at the first place.
Hello {{ username }}If 'username' contains an expression that's evaluated (say something like {{3*5}}), it will lead to a malicious code execution. Every server side language has its own template engine like for PHP: Smarty, Twig and for Python: Jinja2, Mako and for Java: Freemarker, Velocity. I personally used pug in node js for other projects and handlebars for zoomie. If a site uses a template engine, you can determine its type by running the following payload:
Jinja2 (Python Flask/Django): {{ 7*7 }}
Freemarker (Java): ${7*7}
Velocity (Java): #set($a = 7*7)${a}
Thymeleaf (Java): ${7*7}
Twig (PHP Symfony): {{ 7*7 }}
Smarty (PHP): {$7*7}
Mako (Python): <% print 7*7 %>The exploitation flow goes like: inject crafted payloads into vulnerable fields, and execute arbitrary commands or access sensitive server data, and then escalate privileges for full server control. Let us say for example the site uses Jinja2. If you get a response by running the identification payload, you can then execute commands like whoami on the server.
{{self._TemplateReference__context.cycler.__init__.__globals__.os.popen('whoami').read()}}You can basically run commands you want directly on the server. This shit has medium or high severity impact since it leads to RCE and stuff. You can just avoid this by validating the user input at the first place.
Elementary school was wild man
I remembered a vivid memory where a grown ass adult guest telling us the difference between email and gmail was that we use electric to send emails and generator to send gmails. Bro should've been sentenced for life
I remembered a vivid memory where a grown ass adult guest telling us the difference between email and gmail was that we use electric to send emails and generator to send gmails. Bro should've been sentenced for life
🤣34🔥2
Mira
Elementary school was wild man I remembered a vivid memory where a grown ass adult guest telling us the difference between email and gmail was that we use electric to send emails and generator to send gmails. Bro should've been sentenced for life
destined for a generational trauma,
does cybersec now. God is good
does cybersec now. God is good
Forwarded from RaGooSanta
still one of my fav creator
https://www.youtube.com/watch?v=RBRO-YGMYs0
https://www.youtube.com/watch?v=RBRO-YGMYs0
YouTube
Elementary School in a Nutshell
Elementary school was something else. It was fun tho.
Subscribe for more of me!
Wanna see my best vids, voila:- https://www.youtube.com/watch?v=jgdoR5Yb5to&list=PLpSx4Y0USB-8p7hqdj9tej9XQ0kLLjWW3&index=4
Old boys school vid in : https://www.patreon.com…
Subscribe for more of me!
Wanna see my best vids, voila:- https://www.youtube.com/watch?v=jgdoR5Yb5to&list=PLpSx4Y0USB-8p7hqdj9tej9XQ0kLLjWW3&index=4
Old boys school vid in : https://www.patreon.com…
❤3
life update ?
Anonymous Poll
36%
going well. I just like it
36%
meh. but not a dead man walking
28%
surviving barely
Mira
The expectations of others were the bars I used for my own cage.
I would sacrifice pieces of my flesh, but I'd still be considered selfish for keeping my bones
#stolenpfp
#stolenpfp
💯4❤2
Mira
cringe songs
want access ?
Miki said they are smh good. not top tier taste like @Su_ch_is_life or any of the peeps who are into Art, but they pass the vibe check for a casual listen while doing some chores. here goes:
https://t.me/+CmBzrluJ4fExMDRk
Miki said they are smh good. not top tier taste like @Su_ch_is_life or any of the peeps who are into Art, but they pass the vibe check for a casual listen while doing some chores. here goes:
https://t.me/+CmBzrluJ4fExMDRk
Telegram
The Playlist by Mira
my playlist tho i have a messed up music taste
🔥6